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Abstract. Emerging network scenarios require the development of solid large-scale situated sys¬ 
tems. Unfortunately, the diffusion/aggregation computational processes therein often introduce a 
source of complexity that hampers predictability of the overall system behaviour. Computational fields 
have been introduced to help engineering such systems: they are spatially distributed data structures 
designed to adapt their shape to the topology of the underlying (mobile) network and to the events 
occurring in it, with notable applications to pervasive computing, sensor networks, and mobile robots. 
To assure behavioural correctness, namely, correspondence of micro-level specification (single device 
behaviour) with macro-level behaviour (resulting global spatial pattern), we investigate the issue of 
self-stabilisation for computational fields. We present a tiny, expressive, and type-sound calculus of 
computational fields, and define sufficient conditions for self-stabilisation, defined as the ability to 
react to changes in the environment finding a new stable state in finite time. A type-based approach is 
used to provide a correct checking procedure for self-stabilisation. 


1. Introduction 


Computational fields 0^1^ (sometimes simply yieWi in the following) are an abstraction tradition¬ 
ally used to enact self-organisation mechanisms in contexts including swarm robotics ||3l, sensor 
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networks Q, pervasive computing BSll . task assignment ||49]| . and traffic control |[T3]| . They are 
distributed data stmctures originated from pointwise events raised in some specific device (i.e., a sen¬ 
sor), and propagating in a whole network region until forming a spatio-temporal data structure upon 
which distributed and coordinated computation can take place. Middleware/platforms supporting this 
notion include TOTA |[^ . Proto II36L and SAPERE 115 11 144 II . The most paradigmatic example of 
computational field is the so-called gradient ||6l[35l|38l, mapping each node of the network to the 
minimum distance from the source node where the gradient has been injected. Gradients are key to 
get awareness of physical/logical distances, to project a single-device event into a whole network 
region, and to find the direction towards certain locations of a network, e.g., for routing purposes. 
Several pieces of work have been developed that investigate coordination models supporting fields 
lESlIlTl, introduce advanced gradient-based spatial patterns |[37]l . study universality and expressive¬ 
ness m, and develop catalogues of self-organisation mechanisms where gradients play a crucial 
role |[25l . 

As with most self-organisation approaches, a key issue is to try to fill the gap between the 
system micro-level (the single-node computation and interaction behaviour) and the system macro¬ 
level (the shape of the globally established spatio-temporal structure), namely, ensuring that the 
programmed code results in the expected global-level behaviour. However, the issue of formally 
tackling the problem is basically yet unexplored in the context of spatial computing, coordination, 
and process calculi—some exceptions are ||6l|23, which however apply in rather ad-hoc cases. We 
note instead that studying this issue will likely shed light on which language constructs are best 
suited for developing well-engineered self-organisation mechanisms based on computational fields, 
and to consolidate existing patterns or develop new ones. 

In this paper we follow this direction and devise an expressive calculus to specify the propagation 
process of those computational fields for which we can identify a precise mapping between system 
micro- and macro-level. The key constructs of the calculus are three: sensor fields (considered as 
an environmental input), pointwise functional composition of fields, and a form of spreading that 
tightly couples information diffusion and re-aggregation. The spreading construct is constrained 
so as to enforce a special “stabilising-diffusion condition” that we identified, by which we derive 
self-stabilisation Il22l . that is, the ability of the system running computational fields to reach a stable 
distributed state in spite of perturbations (changes of network topology and of local sensed data) 
from which it recovers in finite time. A consequence of our results is that the ultimate (and stable) 
state of an even complex computational field can be fully-predicted once the environment state is 
known (network topology and sensors state). Still, checking that a field specification satisfies such 
stabilising-diffusion condition is subtle, since it involves the ability of reasoning about the relation 
holding between inputs and outputs of functions used to propagate information across nodes. Hence, 
as an additional contribution, we introduce a type-based approach that provides a correct checking 
procedure for the stabilising-diffusion condition. 

The remainder of this paper is organised as follows: Section [^illustrates the proposed linguistic 
constructs by means of examples; Section|^presents the calculus and formalises the self-stabilisation 
property; Section [^introduces the stabilising-diffusion condition to constrain spreading in order to 
ensure self-stabilisation; Section [^proves that the stabilising-diffusion condition guarantees self¬ 
stabilisation; Section[^extends the calculus with the pair data structure and provides further examples; 
Sections [^[^ and [^incrementally present a type-based approach for checking the stabilising-diffusion 
condition and prove that the approach is sound; Section 10 discusses related work; and finally 
Section [^concludes and discusses directions for future work. The appendices contain the proof 
of the main results. A preliminary version of some of the material presented in this paper appeared 
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eo?ei :02 
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f 

::= d 1 b 




function name 

D 

::= def Td(Ti xi,...,T„ x„) 

is e 


function definition 


Figure 1: Syntax of expressions and function definitions 
2. Computational Fields 

From an abstract viewpoint, a computational field is simply a map from nodes of a nefwork to 
some kind of value. They are used as a valuable abstraction to engineer self-organisation into 
networks of situated devices. Namely, out of local interactions (devices communicating with a small 
neighbourhood), global and coherent patterns (the computational helds themselves) establish that 
are robust to changes of environmental conditions. Such an adaptive behaviour is key in developing 
system coordination in dynamic and unpredictable environments IITO . 

Self-organisation and computational fields are known fo build on fop of fhree basic mechanisms 
ll25l : diffusion (devices broadcasf informafion fo fheir neighbours), aggregation (mulfiple informafion 
can be reduced back info a single sum-up value), and evaporation/decay (a cleanup mechanism is 
used fo reacfively adapf fo changes). These mechansisms have been used fo synfhefise a rafher vasf 
sef of disfribufed algorifhms ll^ 15^1251 1711. 

For insfance, fhese mechanisms are precisely fhose used fo creafe adaptive and sfable gradients, 
which are building blocks of more advanced pafferns ll25l[37ll . A gradient is used to reify in any 
node some information about the path towards the nearest gradient source. It can be computed by 
the following process: value 0 is held in the gradient source; each node executes asynchronous 
computation rounds in which (i) messages from neighbours are gathered and aggregated in a 
minimum value, (ii) this is increased by one and is diffused to all neighbours, and (in) the same 
value is stored locally, to replace the old one which decays. This continuous “spreading process” 
stabilises to a so called hop-count gradient, storing distance to the nearest source in any node, and 
automatically repairing in finite time to changes in the environment (changes of topology, position 
and number of sources). 

2.1. Basic Ingredients. Based on these ideas, and framing them so as to isolate those cases where 
the spreading process actually stabilises, we propose a core calculus to express computational fields. 
Ifs synfax is reporfed in Figure [T] Our language is fyped and (following fhe general approach used in 
ofher languages for spafial computing B6ll36l . which fhe one we propose here can be considered as 
a core fragmenf) funcfional. 

Types T are monomorphic. For simplicify, only ground types G (like real and bool) are 
modeled—in Seclion|^we will poinf ouf fhaf fhe properfies of fhe calculus are indeed paramefric in 
fhe sef of modeled fypes (in particular, we will consider and exfension of fhe calculus fhaf models 
pairs). We wrife [[T]] fo denofe fhe sef of fhe values of fype T. We assume fhaf each fype T is equipped 
wifh a total order <t over [[T]] fhaf is noetherian OH, i.e., fhere are no infinife ascending chains of 
values Vo <t vi <t V2 <t • • • . This implies fhaf [[T]] has a maximum elemenf, fhaf we denofe by T x. 
Each ground fype usually comes wifh a nafural ordering (for bool we consider FALSE <booi TRUE) 
which is total and noetherian—though in principle ad-hoc ordering relations could be used in a 
deployed specification language. 

An expression can be a variable x, a sensor s, a ground-value g, a conditional eo?ei: 02 , a 
function application f(ei,...,e„) or a spreading {e : f(@,ei,...,e„)}. Variables are the formal 
parameters of a function. 
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Sensors are sources of input produced by the environment, available in each device (in examples, 
we shall use for them literals starting with symbol For instance, in a urban scenario we may 
want to use a crowd sensor #crowd yielding non-negative real numbers, to represent the perception 
of crowd level available in each deployed sensor over time lIMIl . 

Values V coincide with ground values g (i.e., values of ground type), like reals (e.g., 1, 5.7,... 
and POSINF and NEGINF meaning the maximum and the minimum real, respectively) and booleans 
(TRUE and FALSE). 

A function can be either a built-in function b or a user-defined function d. Built-in functions 
include usual mathematical/logical ones, used either in prefix or infix notation, e.g., to form ex¬ 
pressions like 2*#crowd and or (TRUE .FALSE). User-defined functions are declared by & function 
definition def T d(Ti xi, ...,T„ x„) is e—cyclic definitions are prohibited, and the 0-ary function 
main is the program entry point. As a first example of user-defined function consider the following 
function restrict: 

def real restrict(real i, bool c) is c ? i : POSINF. 

It takes two arguments i and c, and yields the former if c is true, or POSINF otherwise—as we shall 
see, because of our semantics POSINF plays a role similar to an undefined value. 

A pure function f is either a built-in function b, or a user-defined function d whose call graph 
(including d itself) does not contain functions with spreading expressions or sensors in their body. 
We write [[f ]] to denote the (trivial) semantics of a pure-function f, which is a computable functions 
that maps a tuple of elements from [[Ti]],..., [[T„]] to [[T]], where Ti, ...,T„ and T are the types of the 
arguments and the type of the result of f, respectively. 

As in |@6l|36l, expressions in our language have a twofold interpretation. When focussing on the 
local device behaviour, they represent values computed in a node at a given time. When reasoning 
about the global outcome of a specification instead, they represent whole computational fields: 1 is 
the immutable field holding 1 in each device, #crowd is the (evolving) crowd field, and so on. 

The key construct of the proposed language is spreading, denoted by syntax {e : f (@,ei,..., e„)}, 
where e is called source expression, and f (@,ei,..., e„) is called diffusion expression. In a diffusion 
expression the function f, which we call diffusion, must be a pure function whose return type and first 
argument type are the same. The symbol 0 plays the role of a formal argument, hence the diffusion 
expression can be seen as the body of an anonymous, unary function. Viewed locally to a node, 
expression e = {gq : f (@, ei,..., e„)} is evaluated at a given time to value v as follows: 

(1) expressions gq, ei,..., e„ are evaluated to values vq, vi,..., v„; 

(2) the current values wi, ...,Wm of g in neighbours are gathered; 

(3) for each wy in them, the diffusion function is applied as f (wy, vi, ...,v„), giving value w'-; 

(4) the final result v is the minimum value among {vq, Wj,..., wj„}: this value is made available to 
other nodes. 

Note that v <x vq, and if the device is isolated then v = vq. Viewed globally, {gq : f (@, gi ,..., g„)} 
represents a field initially equal to gq; as time passes some field values can decrease due to smaller 
values being received from neighbours (after applying the diffusion function). 

The hop-count gradient created out of a #src sensor is hence simply defined as 

{ #src : 0 + 1 } 

assuming #src holds what we call a zero-field, namely, it is 0 on source nodes and POSINF every¬ 
where else. In this case #src is the source expression, and f is unary successor function. 
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def real grad(real i) is ■[ i : @ + #dist } 

def real restrict(real i, bool c) is c ? i : POSINF 

def real restrictSum(real x, real y, bool c) is restrict(x + y, c) 

def real gradobs(real i, bool c) is { i : restrictSum(@,#dist, c) ]■ 

def float gradbound(real i, real z) is gradobsCi, grad(i) < z)) 


Figure 2: Definitions of examples 




Figure 3: Pictorial representation of hop-count gradient field (left), a gradient circumventing “crowd” 
obstacles field (center), and a gradient with bounded distance (right) 


2.2. Examples. As a reference scenario to ground the discussion, we can consider crowd steering 
in pervasive environments ll3^ : computational fields run on top of a myriad of small devices spread 
in the environment (including smartphones), and are used to guide people in complex environments 
(buildings, cities) towards points of interest (POIs) across appropriate paths. There, a smartphone 
can perceive neighbour values of a gradient spread from a POI, and give directions towards smallest 
values so as to steer its owner and make him/her quickly descend the gradient Il35l . Starting from the 
hop-count gradient, various kinds of behaviour useful in crowd steering can be programmed, based 
on the definitions reported in Figure]^ 

The first function in Figure [^defines a more powerful gradient construct, called grad, which 
can be used to generalise over the hop-by-hop notion of distance: sensor #dist is assumed to exist 
that reifies an application-specific notion of distance as a positive number. It can be 1 everywhere to 
model hop-count gradient, or can vary from device to device to take into consideration contextual 
information. For instance, it can be the output of a crowd sensor, leading to greater distances 
when/where crowded areas are perceived, so as to dynamically compute routes penalising crowded 
areas as in ||38]| . In this case, note that diffusion function f maps (vi,V 2 ) to -|-V 2 . Figure]^ 
(left) shows a pictorial representation, assuming devices are uniformly spread in a 2D environment: 
considering that an agent or data items move in the direction descending the values of a field, a 
gradient looks like a sort of uniform attractor towards the source, i.e., to the nearest source node. 
It should be noted that when deployed in articulated environments, the gradient would stretch and 
dilate to accommodate the static/dynamic shape of environment, computing optimal routes. 

By suitably changing the diffusion function, it is also possible to block the diffusion process 
of gradients, as shown in function gradobs: there, by restriction we turn the gradient value to 
POSINF in nodes where the “obstacle” boolean field c holds FALSE. This can be used to completely 
circumvent obstacle areas, as shown in Figure [^(center). Note that we here refer to a “blocking” 
behaviour, since sending a POSINF value has no effect on the target because of the semantics of 
spreading; hence, an optimised implementation could simply avoid sending a POSINF at all, so as 
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Expression type checking: 


IT-VAR] 


^,x : Th X : T 


[T-SNS] 

J^hs: type(s) 


^he:T 

[T-GVAL] 

^hg: type(g) 


[T-coND] h bq : bool =^7 h ei : T ^ h 62 : T 

h eo?ei: 02 : T 


[T-FUN] T(T) = h e : T 

=5^hf(e) :T 


[T-SPR] dijfusion{f) h f (e,e) : T 
{e : f(®,e)} : T 


User-defined function type checking: 


[T-DEF] X : T h e : T 

h def Td(Tx) = e : T(T) 


h D : T(T) 


Figure 4: Type-checking rules for expressions and function definitions 

not to flood the entire network. This pattern is useful whenever steering people in environments with 
prohibited areas—e.g. road construction in a urban scenario. 

Finally, by a different blocking mechanism we can limit the propagation distance of a gradient, 
as shown by function gradbound and Figure]^ (right): the second argument z imposes a numerical 
bound to the distance, which is applied by exploiting the functions gradobs and grad. 

In section we will exploit the pair data structure to program more advanced examples of 
behaviour useful in crowd steering. 

3. The Calculus of Self-Stabilising Computational Fields 

After informally introducing the proposed calculus in previous section, we now provide a formal 
account of it and precisely state the self-stabilisation property. Namely, we formalise and illustrate 
by means of examples the type system (in Section [TT] ), the operational semantics (in Section [T2] ), 
and the self-stabilisation property (in Section [33] ). 

3.1. Type checking. The syntax of the calculus is reported in Figure [T] As a standard syntactic 
notation in calculi for object-oriented and functional languages |[32ll . we use the overbar notation to 
denote metavariables over lists, e.g., we let e range over lists of expressions, written ei 02 ... e„, and 
similarly for x, T and so on. We write t-sig{f) to denote the type-signature T(T) of f (which specifies 
fhe type T of the result and the types T = Ti, ...,T„ of the n > 0 arguments of f). We assume that the 
mapping t-sig{-) associates a type-signature to each built-in function and, for user-defined funcfions, 
returns the type-signature specified in the function definition. 

A program P in our language is a mapping from function names to function definitions, enjoying 
the following sanity conditions: (i) P(d) = def d •••(•••) is ••• for every d G dom(P)\ (ii) for every 
function name d appearing anywhere in P, we have d G domiV)-, (Hi) there are no cycles in the 
function call graph (i.e., there are no recursive functions in the program); and (iv) main G dom(P) 
and it has zero arguments. A program that does not contain the main function is called a library. 

The type system we provide aims to guarantee that no run-time error may arise during evaluation: 
its typing rules are given in Figure]^ Type environments, ranged over by and written x : T, contain 
type assumptions for program variables. The type-checking judgement for expressions is of the form 
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Ground types: 

G = bool I real 

Sensor types: 

type{#src) = real 
type{#dist) = real 


Built-in function 

f-5/g(not) = 

t-sig{or) = 

= 

t-sig{+) = 

t-sig{=) = 

t-sig{<) = 


type-signatures: 

bool(bool) 
bool(bool,bool) 
real(real) 
real(real,real) 
bool(real,real) 
bool(real,real) 


Figure 5: Ground types, types for sensors, and type-signatures for built-in functions used in the 
examples 

h e : T, to be read: e has type T under the type assumptions ^ for the program variables occurring 
in e. As a standard syntax in type systems |l32l, given x = xi, T = Ti, and e = ei,e„ 
(n > 0), we write x : T as short for xi : Ti,...,x„ : T„, and h e : T as short for \- ■ ■ ■ 

h e„ : T„. 

Type checking of variables, sensors, ground values, conditionals, and function applications 
are almost standard. In particular, values and sensors and built-in functions are given a type by 
construction: the mapping type{-) associates a sort to each ground value and to each sensor, while 
rule [T-FUN] exploits the mapping t-sig{-). 

Example 3.1. Figure illustrates the ground types, sensors, and built-in functions used in the 
examples introduced throughout the paper. 

The only ad-hoc type checking is provided for spreading expressions {e : f (@,e)}: they are 
given the type of f (e,e), though the function f must be a dijfusion, according to the following 
definition. 

Definition 3.2 (Diffusion). A type signature T(T) with T = Ti,...,T„ {n > 1) is a diffusion type 
signature (notation diffusion{l{T))) if T = Ti. A pure function f is a diffusion (notation diffusion{i)) 
if its type signature t-sig{f) is a diffusion type signature. 

Example 3.3. Consider the functions defined in Figure]^ The following fwo predicates hold: 

• diffusion{+), and 

• diffusion{restzictS\im) 

Function type checking, represented by judgement cTh D : T(T), is standard. In the following 
we always consider a well-typed program (or library) P, to mean that all the function declarations in 
P type check. Note that no choice may be done when building a derivation for a given type-checking 
judgment, so the type-checking rules straightforwardly describe a type-checking algorithm. 

Example 3.4. The library in Figure]^ type checks by using the ground types, sensors, and type- 
signatures for built-in functions in Figure]^ 
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3.2. Operational Semantics. In this section we fomalise the operational semantics of the calculus. 
As for the field calculus Il46l and the Proto language |[36l . devices undergo computation in rounds. 
In each round, a device sleeps for some time, wakes up, gathers information about messages 
received from neighbours while sleeping, evaluates the program, and finally broadcasts a message to 
neighbours with information about the outcome of evaluation and goes back to sleep. The scheduling 
of such rounds across the network is fair and non-synchronous. The structure of the network may 
change over time: when a device is sleeping its neighborhood may change and the device itself 
may disappear (switch-off) and subsequently appear (switch-on). We hrst focus on single-device 
computations (in Section 3.2.1 1 and then on whole network evolution (in Section 3.2.2 1 . 


3.2.1. Device Computation. In the following, we let meta-variable i range over the denumerable 
set I of device identifiers, meta-variable I over finite sets of such devices, meta-variables u, v and w 
over values. Given a finite nonempty set V C JT]] we denote by /\V its minimum element, and write 
V A v' as short for /\{v,v'}. 

In order to simplify the notation, we shall assume a fixed program P and write emain to denote the 
body of the main function. We say that “device l fires”, to mean that expression emain is evaluated on 
device i. The result of the evaluation is a value-tree, which is an ordered tree of values, tracking the 
value of any evaluated subexpression. Intuitively, such an evaluation is performed against the most 
recently received value-trees of current neighbours and the current value of sensors, and produces as 
result a new value-tree that is broadcasted to current neighbours for their firing. Note that considering 
simply a value (instead of a value-tree) as the outcome of the evaluation emain on a device l would 
not be enough, since the evaluation of each spreading expression e occurring in euain requires the 
values (at the root of their sub-value-trees) produced by the most recent evaluation of e on neighbours 
of i (c.f. Sect.|^{^ 

The syntax of value-trees is given in Figure together with the definition of the auxiliary 
functions p (•) and 7r, (-) for extracting the root value and the /-th subtree of a value-tree, respectively— 
also the extension of these functions to sequences of value-environments 6 is defined. We sometimes 
abuse the notation writing a value-tree with just the root as v instead of v(). The state of sensors a is 
a map from sensor names to values, modelling the inputs received from the external world. This is 
written 5 > V as an abuse of notation to mean t> vi, ...,5„ t> v„. We shall assume that it is complete 
(it has a mapping for any sensor used in the program), and correct (each sensor s has a type written 
type(s}, and is mapped to a value of that type). For this map, and for the others to come, we shall 
use the following notations: a{s) is used to extract the value that s is mapped to, cj[a'] is the map 
obtained by updating a with all the associations 5 > v of a' which do not escape the domain of a 
(namely, only those such that a is defined for s). 

The computation that take^lace on a single device is formalised by the big-step operational 
semantics rules given in FigureThe derived judgements are of the form a; 6 F e JJ. 0, to be read 
“expression e evaluates to value-tree 6 on sensor state a and w.r.t. the value-trees 6 ”, where: 

• a is the current sensor-value map, modelling the inputs received from the external world; 

• 0 is the list of the value-trees produced by the most recent evaluation of e on the current device’s 
neighbours; 

• e is the closed expression to be evaluated; 

• the value-tree 0 represents the values computed for all the expressions encountered during the 
evaluation of e— in particular p(0) is the local value of field expression e. 

^ Any implementation might massively compress the value-tree, storing only enough information for tracking the values 
of spreading expressions. 
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Value-trees and sensor-value maps: 

0,7J ::= v(6) value-tree 

CJ :: = 5 l> V sensor-value map 


Auxiliary functions: 

p(v(0))=V 7r;(v(0i,...,e„)) = 0,- 


Rules for expression evaluation: 


[E-SNS] 

a ;0 h 5 JJ- a( 5 ) 


[E-VAL] 

a; 6 h V JJ. V 


a; 6 h e JJ. 6 


[E-COND] 

a-7li(d) h ei -il Pi 


0\K^{e) h 63 JJ. P3 



a;ehei?e2:e3|lv(pi,p2,r]3) 


ifp(pi) =TRUE 

if p (pi ) = false 


[E-BLT] 

a;7ri(e)hei-ilpi ••• a;7r„(e) h e„ p„ v = [[b]](p(pi),■■.,p(p„)) 
a;0hb(ei,...,e„)J|v(pi,...,p„) 

[E-DEF] 

def Td(Ti x„) = e a;7ri(0) h ei |1-0j' ••• o-,n„{0) Bn i}- 6^ 

a;7r„+i(e)he[xi := p(eO, .■.,x„ := p(e;)] ^ v(p)_ 

a;e h d(ei,...,e„) v(e(,...,e^,v(p)) 

[E-SPR] 

a;7ro(e)^eoJ|po ••• a;7r„(e) h e„ p„ 

P(P0,...,P„) = Vo...V„ p(e) = Wi...Wm 

a;0l-f(^i,vi,■■■,¥„)-il-ui(---) ••• a;0l-f(w;„,vi,...,v„) 

a;0 h {eo : f -^1- A{vo,ui,---,iim}(po,Pi,...,p„) 


Figure 6: Big-step operational semantics for expression evaluation 

The rules of the operational semantics are syntax directed, namely, the rule used for deriving 
a judgement a; 0 h e JJ- ^ is univocally determined hy e (cf. Figure]^. Therefore, the shape of the 
value-tree 0 is univocally determined hy e, and the whole value-tree is univocally determined hy a, 
0, and e. 

The rules of the operational semantics are almost standard, with the exception that rules [E-cond], 
[E-BLT], [E-DEF] and [E-SPR] usc the auxiliary function 7r, (-) to ensure that, in the judgements in the 
premise of the rule, the value-tree environment is aligned with the expression to he evaluated. Note 
that the semantics of conditional expressions prescrihes that both the branches of the conditional are 
evaluated^ 

The most important rule is [E-spr] which handles spreading expressions formalising the descrip¬ 
tion provided in Section 2.1 It first recursively evaluates expressions e, to value-trees p, (after 


proper alignment of value-tree environment by operator 7r, (.)) with top-level values v,-. Then it gets 
from neighbours their values wy for the spreading expression, and for each of them f is evaluated 
giving top-level result uy. The resulting value is then obtained by the minimum among vq and the 


9 

Our calculus does not model the domain restriction construct in 
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values Uj (which equates to vq if there are currently no neighbours). Note that, since in a spreading 
expression { gq : f (@, ei,..., e„)} the function f must he a diffusion and diffusions are pure functions 
(cf. Section [3TT] |, only the root of the value-tree produced hy the evaluation of the application of f to 
the values of ei, ..e„ must he stored (c.f. the conclusion of rule [E-spr]). We will in the following 
provide a network semantics taking care of associating to each device the set of neighbour trees 
against which it performs a computation round, namely, connecting this operational semantics to the 
actual network topology. 

Example 3.5 (About device semantics). Consider the program P: 

def real main() is { #src : @ + #dist }, 

where #src and #dist are sensors of type real, and + is the built-in sum operator which has 
type-signature real (real, real). 

The evaluation of emain = { #src : @ + #dist } on a device li when 

• the current sensor-value map for ii is ai such that ai (#src) = 0 and Oi (#dist) = 1, and 

• li has currently no neighbours, 

(expressed by the judgement ai;0 h emain JJ- 0i) yields the value-tree 6 i = 0(0,1) by rule [E-spr], since: 
n = 1; the evaluation of gq = #src yields tjq = 0() (by rule [E-sns]); the evaluation of ei = #dist 
yields T]i = 1() (by rule [E-sns]); m = 0; and A{0} = 0- 
Similarly, the evaluation of emain on a device I 2 when 

• the current sensor-value map for I 2 is 02 such that a 2 (#src) = 8 and a 2 (#dist) = 1 , and 

• I 2 has currently no neighbours, 

(expressed by the judgement 02;® h emain -IJ- O2) yields the value-tree 62 = 8(8) 1) by rule [E-spr], since: 
n = 1; the evaluation of gq = #src yields rjo = 8() (by rule [E-sns]); the evaluation of ei = #dist 
yields T]i = 1() (by rule [E-sns]); m = 0; and A{ 8 } = 8 . 

Then, the evaluation of emain on a device I 3 when 

• the current sensor-value map for I 3 is Oj such that a 3 (#src) = 4 and a 3 (#dist) = 1, and 

• I 3 has neighbours li and I 2 , 

(expressed by the judgement 03 ; 6162 1“ Omain -IJ' ^ 3 ) yields the value-tree 63 = 1 (4,1) by rule [E-spr], 
since: n = 1; the evaluation of gq = #src yields rjo = 4() (by rule [E-sns]); the evaluation of 
ei = #dist yields T]i = 1() (by rule [E-sns]); m = 2; the evaluation of 0-|- 1 yields 1(0(), 1()) (by 
rule [E-BLT]); the evaluation of 8 -|- 1 yields 9(0(), 8()) (by rule [E-blt]); and A{4,1,9} = 1. 


3.2.2. Network Evolution. We now provide an operational semantics for the evolution of whole 
networks, namely, for modelling the distributed evolution of computational fields over time. Figure 
|7](top) defines key syntactic elements to this end. F models the overall computational field (state), 
as a map from device identifiers to value-trees. T models network topology, namely, a directed 
neighbouring graph, as a map from device identifiers to set of identifiers. £ models sensor (distributed) 
state, as a map from device identifiers to (local) sensors (i.e., sensor name/value maps). Then, E 
(a couple of topology and sensor state) models the system’s environment. So, a whole network 
configuration A is a couple of a field and environment. 

We define nefwork operafional semanfics in ferms of small-sfeps fransifions of fhe kind N —> N', 
where I is eifher a device idenfifier in case if represenfs ifs firing, or label e fo model any environmenf 
change. This is formalised by the two rules in Figure [^(bottom). Rule [N-fir] models a network 
evolution due to a computation round (firing) af device i: if reconsfrucfs fhe proper local environmenf. 
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System configurations and action labels: 


E : 

:= l>d 

computational field 

T : 

:= T>I 

topology 

I : 

:= i [>a 

sensors-map 

E : 

:= T,I 

environment 

N : 

:= {E-,F) 

network configuration 

i : 

:= i \ e 

action label 


Environment well-formedness: 

WFE{z,L) holds if have same domain, and t’s values do not escape it. 


Transition rules for network evolution: 

[N-FIR] £' = T,£ T(t) = l £(l);f (l) I- emain II-6 

{E-F)^{E-F[i\>d]) 


nAn 


[N-ENV] 

WFE{E') £" = T,ii [> >a„ 

CJi, 0 h Gjiain JJ- ^1 ‘ ‘ ‘ 0 h Smain il' Fq — Ij t> di, dn 

{E-,F) 4 (E';Fo[F]) 


Figure 7: Small-step operational semantics for network evolution 


taking local sensors and accessing the value-trees of I’s neighbours 0 then hy the single device 

semantics we obtain the device’s value-tree 6, which is used to update system configuration. Rule 
[N-ENV] models a network evolution due to change of the environment E to an arbitrarily new well- 
formed environment E '—note that this encompasses both neighborhood change and addition/removal 
of devices. Let be the domain of E'. We first construct a field Fq associating to all the 

devices of E' the default value-trees 0i,..., obtained by making devices perform an evaluation with 
no neighbours and sensors as of E'. Then, we adapt the existing field F to the new set of devices: 
Fq [F] automatically handles removal of devices, map of new devices to their default value-tree, and 
retention of existing value-trees in the other devices. 


Example 3.6 (About network evolution). Consider a network of devices running the program P 
of Example |3.5[ The initial situation, when (the functionality associated to) the program P is 


switched-off on all the devices, is modelled by the empty network configuration ( 01 > 0,0 > 0 ; 0 > 0 ). 

The network evolution representing the fact that the environment evolves because device I 3 
switches-on when its sensor #src perceives value 0 and its sensor #dist perceives value 1 (and 
gets initialised to the value-tree obtained by firing with respect to the empty set of neighbourhs), is 


modelled (according to rule [N-env]) by the reduction step (0 > 0,0 > 0; 0 [> 0) (13 [> 0 ,13 [> ai; I 3 t> 

61 ), where the sensor-value mapping ai and the value-tree di are those introduced in Example |3.5[ 
Then, the network evolution representing the fact that the environment evolves is as follows: 


• the device li switches-on when its sensor #src perceives value 0 and its sensor #dist perceives 
value 1 , and has only I 3 as neighbour; 


The operational semantics abstracts from the details of message broadcast from/to neighbours: the most recent 
value-trees received by a device l from its neighbours while it was sleeping are identified with the value-trees associated to 
the neighbours of the device l when it fires. 
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• the device I 2 switches-on when its sensor #src perceives value 4 and its sensor #dist perceives 
value 1 , and has no neighbours, and 

• on device I 3 sensor #src perceives value 8 , sensor #dist perceives value 1 , and I 3 has li and I 2 
as neighbours, 

is modelled (according to rule [N-env]) by the reduction step (13 > 0,13 > ai;i3 > 61) A- {z,L-,F), 
where 

T = ii[>{i3},i2>0,i3>{ii,i2}, I = ii[>ai,i2>a2,i3>a3, F = ii>ei,i2 > 02,13 >di 

and the sensor-value mapping 02 , O 3 and the value-tree 62 are those introduced in Example |3.51 
Finally, the network evolution representing the fact that device I 3 fires is modelled (according to 
rule [N-FiR]) by the reduction step {z,L-,F) -A t> 61,12 > 62,13 > 63), where the value-tree 62 

is that introduced in Example |3.51 


3.3. The Self-stabilisation Property. Upon this semantics, we introduce the following definitions 
and notations ending with the self-stabilisation property. 

Initiality: The empty network configuration (0 [> 0,0 > 0; 0 [> 0) is said initial. 

Reachability: Write N N' as short forN \N\% ■■■ % N'. A configuration N is said reachable 

j 

if Nq N where Nq is initial. Reachable configurations are the well-formed ones, and in the 
following we shall implicitly consider only reachable configurations. 

Firing: A firing evolution from N to N', written N =:> N', is one such that N =A N' for some l, 
namely, where only firings occur. 

Stability: A network configuration N is said stable if A A A' implies A = N', namely, the computa¬ 
tion of fields reached a fixpoint in the current environment. Note that if A is stable, then it also 
holds that A N' implies N = N'. 

Fairness: We say that a sequence of device fires is k-fair (k > 0) to mean that, for every h(\<h<k), 
the /j-th fire of any device is followed by at least k — h fires of all the other devices. Accordingly, 

a firing evolution A =A N' is said k-fair, written A =A^ A', to mean that l is k-fair. We also 

write A =^k N' if hi =^/t hf for some l. This notion of fairness will be used to characterise 
finite firing evolutions in which all devices are given equal chance to fire when all others had. 
Strong self-stabiUsation: A network configuration {E-,F) is said to (strongly) self-stabilise (simply, 
self-stabilise, in the following) to {E-,F') if there is a k > 0 and a field E' such that {E-,E) =^k 
{E-,E') implies {E-,E') is stable, and E' is univocally determined by E. Self-stability basically 
amounts to the inevitable reachability of a stable state depending only on environment conditions, 
through a sufficiently long fair evolution. Hence, the terminology is abused equivalently saying 
that a program P or (equivalently) a field expression e^ain is self-slabilising if for any environmenf 
state E there exists a unique stable field E' such that any {E-,E) self-stabilises to {E-,E'). 
Self-stability: A network configuration {E-,E) is said self-stable to mean that it is stable and E is 
univocally determined by E. 

Note that our definition of self-stabilisation is actually a stronger version of the standard definition of 
self-stabilisation as given e.g. in |[22l —see more details in Section[^ Instead of simply requiring 
that we enter a “self-stable set” of states and never escape from it, we require that ( i) such a set has 
a single element, and (ii) such an element is globally unique, i.e., it does not depend on the initial 
state. Viewed in the context of an open system, it means that we seek for programs self-stabilising in 
any environment independently of any intermediate computation state. This is a requirement of key 
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importance, since it entails that any subexpression of the program can be associated to a final and 
stable field, reached in finite time by fair evolutions and adapting to the shape of the environment. 
This acts as the sought bridge between the micro-level (field expression in program code), and the 
macro-level (expected global outcome). 

Example 3.7 (A self-stabilising program). Consider a network of devices running the program P of 
Examples |3.5| and |3.6| 

def real main() is { #src : @ + #dist }, 

and assume that the sensor #dist is guaranteed to always return a positive value (recall that 
the sensors #src and #dist have type real and the built-in operator + has type-signature 
real(real,real)). Then, the operator + is guaranteed to be used with type real(real,pr), 
where pr is the type of positive reals (i.e., the refinement type ll^ that refines type real by keeping 
only the positive values), so that the following conditions are satisfied: 

(1) + is monotonic nondecreasing in its first argument, i.e., for any v, v' and V 2 of type pr: 

^ ^real v' implies V -f V 2 <real v' -f V 2 ; 

(2) + is progressive in its first argument, i.e., for any v and V 2 of type pr: 

POSINF = POSINF -p V 2 , and v ^ POSINF implies v <reai v-|-V 2 . 

Starting from an initial empty configuration, we move by rule [N-env] to a new environment with 
the following features: 

• the domain is formed by 2n {n > 1) devices li, l„+i,..., l 2 n', 

• the topology is such that any device l; is connected to and i,_i (if they exist); 

• sensor #dist gives 1 everywhere; 

• sensor #src gives 0 on the devices l; (1 < * < n, briefly referred to as left devices) and a value u 
{u> n+\) on the devices ij {n + \ < j < 2n, briefly referred to as right devices). 

Accordingly, the left devices are all assigned to value-tree 0(0,1), while the right ones to u{u, 1): 
hence, the resulting field maps left devices to 0 and right devices to 1—remember such evaluations 
are done assuming nodes are isolated, hence the result is exactly the value of the source expression. 
With this environment, the firing of a device can only replace the root of a value-tree, making it the 
minimum of the source expression’s value and the successor of neighbour’s values. Hence, any firing 
of a device that is not i„+i does not change its value-tree. When fires instead by rule [N-fir], its 
value-tree becomes 1 (m, 1), and it remains so if more firings occur next. 

Now, only a firing at l „+2 causes a change: its value-tree becomes 2{u, 1). Going on this way, 
it is easy to see that after any n-fair firing sequence the network self-stabilises to the field state 
where left devices still have value-tree 0 (m, 1), while right devices i„+i, i„+2, in+3) ••• have value-trees 
1(m, 1),2(m, 1),3(m, 1),..., respectively. That is, the root of such trees form a hop-count gradient, 
measuring minimum distance to the source nodes, namely, the left devices. 

It can also be shown that any environment change, followed by a sufficiently long firing sequence, 
makes the system self-stabilise again, possibly to a different field state. For instance, if the two 
connections of l 2 n-i to/from l 2 n -2 break (assuming n > 2), the part of the network excluding 12 m- i 
and l 2 n keeps stable in the same state. The values at 12 m- i and l 2 n start raising instead, increasing of 
2 alternatively until both reach the initial value-trees u{u, 1)—and this happens in finite time by a fair 
evolution thanks to the local noetherianity property of stabilising diffusions. Note that the final state 
is still the hop-count gradient, though adapted to the new environment topology. 

Example 3.8 (A non self-stabilising program). An example of program that is not self-stabilising is 

def real main() is { #src : id(@) } 
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(written def real main() is { #src : @ } for short). There, the diffusion is the identity 

function: real id (real x) is x, which (under the assumption, done in Example |3.71 that the 
sensor #scr is guaranteed to return positive values) is guaranteed to he u sed with signature (pr)pr 
and is not progressive in its first argument (c.f. condition (1) in Example |3.7[ )p| 

Assuming a connected network, and #src holding value in one node and POSINF in all others, 
then any configuration where all nodes hold the same value v less than or equal to is trivially stable. 
This would model a source gossiping a fixed value v^ everywhere: if the source suddenly gossips a 
value v' smaller than v, then the network would self-organise and all nodes would eventually hold v'. 
However, if the source then gossips a value v" greater than v', the network would not self-organise 
and all nodes would remain stuck to value v'. 


4. Sorts, Stabilising Diffusions and the Stabilising-Diffusion Condition 

In this section we state a sufficient condition for self-stahilisation. This condition is about the 
behaviour of a diffusion (cf. Definition |3.2| l on a subsets of its arguments (cf. Example |3.7| l. We first 
introduce refinement types (or sorts) as a convenient way to denote these subsets (in Section 4.1 1 
and then use them to formulate the notion of stabilising dijfusion (in Section [4~2] ) and the sufficient 
condition for self-stabilisation (in Section |431 ). 


4.1. Refinement Types (or Sorts). Refinement types ||2^ provide a mean to conservatively extend 
the static type system of a language by providing the ability of specify refinements of each type. All 
the programs accepted by the original type system are accepted by the refinement-type system and 
vice-versa, but refinement-types provide additional information that support stating and checking 
properties of programs. Eollowing ifT/l . we refer to refinement types as sorts and use terms like 
subsorting and sort checking. 

Eor instance, for the ground type real of reals we consider the six ground sorts nr (negative 
reals), zr (the sort for 0), pr (positive reals), znr (zero or negative reals), zpr (zero or positive 
reals), and real (each type trivially refines ifself); while for fhe fype bool we consider fhe fhee sorts 
false (the sort for FALSE), true (the sort for TRUE) and bool. Each sort-signature has the same 
structure of the type-signature it refines. Eor instance, we can build 9(= 3^) sort-signatures for the 
type-signature bool(bool): 

f alse(f alse), false(true), false(bool), 
true(false), true(true), true(bool), 
bool(false), bool(true), bool(bool). 

We assume a mapping sorts(-) that associates to each type the (set of) sorts that refine it, and a 
mapping sort-signatures (•) that associates to each type-signature the (set of) sort-signatures that 
refine it (note that the latter mapping is determined by the the former, i.e., by the value of sorts(-) 
on ground types). A type T trivially refines itself, i.e., for every type T it holds that T G sorts(T). 
Similarly, for every type-signature T(T) it holds that T(T) G sort-signatures (T(T)). We write [[S]] to 
denote the set of values of sort S. Note that, by construction: 

for all S G sorts(T) it holds that [[S]] C [[T]]. 

Sorts and sort-signatures express properties of expressions and functions, respectively. We say that: 

‘^The function id is progressive whenever its is used with a signature of the form (realm) realm, where realm is 
the refinement type that refines realm by keeping only the value n—in the example, this corresponds to the case when 
the sensor #scr is guaranteed to always return the constant value n on all the devices. 
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Ground sorts: 


sorts(bool) = false, true, bool 


sorts(real) = nr,zr,pr,znr,zpr 

real 

Subsorting for ground sorts: 

real 


/ \ 

bool znr 

zpr 

/ \ 1 ^ 

X /I 

false true nr 

zr pr 


Figure 8: Sorts and subsorting for the ground types used in the examples 


• a value v has (or satisfies) sort S to mean that v G [[S]] holds—we write sorts (v) to denote the set 
of all the sorts satisfied by v, and 

• a pure function f has (or satisfies) sort-signature S(S) to mean that for all v G [[S]] it holds that 

[[^]] ^ [[^]]—write sort-signatures(f ) to denote the set of all the sort-signatures satisfied by 

f. 


For every sort S in sorts(T) we write <s to denote the restriction to [[S]] of the total order <t (cf. 
Section 2.1 1 and write Ts to denote the maximum element of [[S]] with respect to <s. 

Subsorting is a partial order relation over sorts of each type that models the inclusion relationship 
between them. For instance, each positive number is a zero or positive number, so will write nr < znr 
to indicate that nr is a subsort of znr. We require that the subsorting relation satisfies the following 
(fairly standard) conditions: 


(1) The type T is the maximum element with respect to subsorting relation on sorts (T). 

(2) For every Si,S 2 G sorts(T) there exists a least upper bound in sorts(T) —that we denote by 
sup^{Si,S2). 

(3) For each value v the set of sorts sorts(iype(v)) has a minimum element w.r.t. <. 

(4) The subsorting relation is sound and complete according to the semantics of sorts, i.e., 

S < S' if and only if [[S]] C [S']]. 


Example 4.1. Figure illustrates the sorts and the subsorting for the ground types used in the 
examples introduced throughout the paper. 


Subsigning is the partial order obtained by lifting subsorting to sort-signatures by the following 
subsigning rule (wbicb, as usual, is covariant in tbe result sort and contravariant in tbe argument 
sorts): 

[I-SIG] S < S' s' < S 

s(s) < s'(s') 

According to the above explanations, for every type T and type-signature T(T) we have that both 
(sorts (T) ,<) and (sort-signatures (T(T)), <) are partial orders. 


4.2. Stabilising Diffusions. Recall the notion of diffusion (Definition |3.2| l. In this section we exploit 
sorts to formulate the notion of stabilising diffusion: a predicate on the behaviour of a diffusion 
that will be used to express tbe sufficient condition for self-stabilisation. Tbe stabilising diffusion 
predicate specifies consfraints on the behaviour of a diffusion f of type Ti (Ti,..., T„) by exploiting a 
sort-signature S(Si,...,S„) G sort-signatures (f). 
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Definition 4.2 (Stabilising diffusion). A diffusion f is stabilising with respect to the sort-signature 
S(SiS) G sort-signatures (f) such that S < Si (notation stabilising{i,S{SiS))) if the following 
conditions hold: 

(1) f is monotonic nondecreasing in its first argument, i.e., for all v G [[Si]], v'g [[Si]] andvG [[S]]: 
V <si v' implies [[f]](v,v) <Si [[f]](v', v)); 

(2) f is progressive in its first argument, i.e., for all v G [[^]: [[f]](Tsi,v) =Si Tsj and, for all 
vG[[Si]]-{Ts,}, v<s, [[f]](v,v). 

We say that the sort-signature S(S) is stabilising for f to mean that stabilising{f ,S{S)) holds, and 
write stabilising-sort-signatures(f ) to denote set of the stabilising sort-signatures for f. 

Example 4.3. Consider the library in Figure]^ The following predicates hold: 

• stabilising(+,zr{zr,zr)), 

• stabilising{+,pr{zpr,pr)), 

• stabilising{+,real{real,Tpr)), and 

• 5tof?//Amg(restrictSum,real(real,pr,bool)). 

Note that Condition Q in Definition |4.2| introduces a further constraint between the sort of 
the first argument Si and the sort of the result S in the sort-signature S(Si,..., S„) used for f. For 
instance, given the diffusion 

def real f(real x, real y) is -(x+y) 

the sort signature nr(pr,pr) G sort-signatures(f) C sort-signatures(real(real,real)) is not 
compatible with Condition (j^, since vi,V 2 G [[pr,pr]] and v = [[f]](vi,V 2 ) G nr imply vi v. 
Namely, the sort of the result S and the sort of the first argument Si must be such that [[S]] cP^sressive 
[[Si]], where the relation cP^sressive between two subsets S and Si of [[T]] (i.e., between elements of 
the powerset =^^([[T]])), that we call progressive inclusion, is defined as follows: 

S Si if and only if S C Si and Ts = Ts,. 

We write <progressive jgjjofg progressive subsorting relation, which is the restriction of subsort¬ 
ing relation defined as follows: 

S g/ if Qjjiy if |g]] ^progressive Jg/]]_ 

To summarise: if a sort signature S(S) is stabilising for some diffusion, then S(S) must be progressive, 
according to the following definition. 


Definition 4.4 (Progressive sort-signature). A sort-signature S(S) with S = Si, ...,S„ {n > 1) is a 
progressive sort-signature (notation progressive{S{S))) if S ^progressive g^ 


Given a diffusion type-signature T(T) 
progressive-sort-signatures (T(T)) to denote the 
refine it. 


(cf. Dehnition 
(set of) progressive 


3.2) we write 
sort-signatures that 


Example 4.5. Figure[^illustrates the progressive subsorting for the ground sorts used in the examples 
introduced throughout the paper. 


mg: 


The following partial order between progressive sort-signatures, that we call stabilising subsign- 

[I-S-SIG] S <pregressive g/ g/ ^progressive g^ g' < g 


S(SiS) <'^P‘'’ilising 3/(3's') 


captures the natural implication relation between stabilisation properties, as stated by the following 
proposition. 
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Figure 9: Progressive subsorting for the ground sorts used in the examples (cf. Figure 

Proposition 4.6 (Soudness of stabilising subsigning). If stabilising{f,S{S)) and S{S) 
then stabilising{f, ^{^)). 

Proof. Straightforward from Definition |4.2| and the definition of progressive subsigning (Rule [i-s-SiG] 
above). □ 


4.3. The Stabilising-Diffusion Condition. We have now all the ingredients to formulate a sufficient 
condition for self-stabilisation of a well-typed program P, that we call the stabilising-dijfusion 
condition: any diffusion f used in a spreading expression e of the program (or library) P must be 
a stabilising diffusion with respect a sort-signature for f that correctly describes the sorts of the 
arguments of f in e. More formally, a well-typed program (or library) P satisfies the stabilising- 
diffusion condition if and only if it admits valid sort-signature and stabilising assumptions for 
diffusions. I.e., for each diffusion-expression {ei : f (@,e 2 ,...,e„)} occurring in P, there exists a 
sort-signature S(Si,..., S„) such that the following two conditions are satisfied. 

(1) Validity of the sort-signature assumption: the diffusion f has sort-signature S(Si,..., S„) and, 
in any reachable network conhguration, the evaluation of the subexpression e, yields a value 
V,- G [[S;]] (1 < / < n). 

(2) Validity of the stabilising assumption: the sort-signature S(Si,..., S„) is stabilising for the 
diffusion f. 

Example 4.7, In the body of the function main in Example |3.7[ which defines a self-stabilising field: 

(1) the diffusion function + is applied according to the sort-signature real(real,pr) since its 
second argument is the sensor #dist of type real that is guaranteed to always return a value of 
sort pr; and 

(2) stabilising{->r,rea.l{Tea.l,pr)) holds (cf. Example |4.3[ ). 

Therefore, the stabilising diffusion condition is satisfied. Also the library in Figure [^satisfies the 
stabilising diffusion condition. 

Instead, for the diffusion function id of type-signature real (real) used in the non-self- 
stabilising spreading expression considered in Example |3.8[ S(Si) = zr(zr) is the only sort-signature 
such that stabilising{id, S(Si)) holds Therefore, since the sensor #src returns a value of sort pr, 
the stabilising diffusion condition cannot be satisfied. 

Remark 4.8 (On choosing the refinements of type real). The choice of the refinements for type 
real that we considered in the examples is somehow arbitrary. We have chosen a set of refinements 
that is expressive enough in order the show that all the self-stabilising examples considered in the 
paper satisfy the stabilising-diffusion condition. For instance, dropping the rehnements nr and 

^Considering the sorts given in Figure sl— c.f. the footnote in Example 3.8 
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pr would make it impossible to show that the program considered in Example 3.7 satisfies the 
stabilising-diffusion condition. 

Considering a richer set of refinement would allow to prove more properties of programs (and 
would make the check more complex). For instance, adding the refinement npr (negative or positive 
number) such that: 

nr < npr pr < npr npr < real 


would allow to assign (according to the sort-checking rules presented in Section sort npr to the 
expressions (x ? -1 : 1), to assume sort-signature false(zr,npr) for the built-in equality 

operator on reals =, and therefore to check that the user-defined function 


def <bool> f(<bool> x) is 0 = (x ? -1 : 1) 


has sort-signature f alse(bool). Although, this would allow to show that more program satisfies 
the stabilising-diffusion, the refinement npr is not needed in order to show that the self-stabilising 
examples considered in the paper satisfy the stabilising-diffusion condition. Therefore we have not 
considered it in the examples. 


5. Programs that Satisfy the Stabilising-Diffusion Condition Self-stabilise 

In this section we prove the main properties of the proposed calculus, namely: type soundness and 
termination of device computation (in Section [5T| ), and self-stabilisation of network evolution for 
programs that satisfy the stabilising-diffusion condition (in Section [fi!2] ). 

As already mentioned, our notion of self-stabilisation is key as it allows one to conceptually 
map any (self-stabilising) field expression to its final and stable field state, reached in finite time by 
fair evolutions and adapting to the shape of the environment. This acts as the sought bridge between 
the micro-level (field expression in program code), and the macro-level (expected global outcome). 
In order facilitate the exploitation of this bridge it would be useful to have an effective means for 
checking the stabilising-diffusion condition. A technique providing such an effective means (for the 
extension of the calculus with pairs introduced in Sectionj^ is illustrated in Sectionsand 

5.1. Type Soundness and Termination of Device Computation. In order to state the properties 
of device computation we introduce the notion of set of well-typed values trees for an expression. 

Given an expression e such that x : T h e : T, the set WTVT{x : T, e,T) of the well-typed value- 
trees for e, is inductively defined as follows: Q G WTVTi^ : T,e,T) if there exist 

• a sensor mapping a; 

• well-formed tree environments 0 G WTVT{x : T,e,T); and 

• values V such that lengthiy) = length{x) and 0 h v : T; 

such that a; 0 h e[x := v] JJ. 0 holds—note that this definition is inductive, since the sequence of 
evaluation trees 0 may be empty. 

As this notion is defined we can state the following two theorems, guaranteeing that from a 
properly typed environment, evaluation of a well-typed expression yields a properly typed result and 
always terminates, respectively. 

Theorem 5.1 (Device computation type preservation). lfx:T\-e:T, a is a sensor mapping, 
0 G WTVT{x : T, e, T), lengthiv) = length(x), dthv'.T and a; 0 h e[x := v\ 0, then 0 h p(0) : T. 

Proof. See Appendix [A| □ 
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Theorem 5.2 (Device computation termination). If x \ T\- e \ T, o is a sensor mapping, 6 G WTVT{x: 
T, e, T), lengthiv) = Iength{x) and 0 h u : 7] then a; 6 h e[$ := u] JJ- 6 for some value-tree 6. 

Proof See Appendix [A| □ 

The two theorems above guarantee type-soundness and termination of device computations, that 
is: the evaluation of a well-typed program on any device completes without type errors assuming that 
the values received from the sensors and the values in the value trees received from the neighbours 
are well-typed. 

5.2. Self-stabilisation of Network Evolution for Programs that Satisfy the Stabilising- 
Diffusion Condition. On top of the type soundness and termination result for device computation 
we can prove the main technical result of the paper: self-stabilisation of any program that satisfies 
the stabilising-diffusion condition. 

Theorem 5.3 (Network self-stabilisation for programs that satisfy the stabilising-diffusion condition). 
Given a program with valid sort and stabilising diffusion assumptions, every reachable network 
configuration N self-stabilises, i.e., there exists k>0 such thatN A' implies thatN' is self-stable. 

Proof See Appendix [B| □ 

We conclude this section by giving an outline of the proof of Theorem |5. 3 1 To this aim we first 
introduce some auxiliary definitions. 

Auxiliary Definitions. In the following we omit the subscript S in <s and <s when it is clear from 
the context (i.e., we just write < and <). 

Given a network N with main expression e, we write 0i(inv) to denote the value-tree of e 
on device l in the network configuration N, and write to denote the value p(0i(in A)) of e 

on device i in the network configuration N. Moreover, when e = {gq : f (®,ei,... ,e„)} we write 
^j.i(mN) write Vy to denote the value-tree and the value of ey (0 < y < n), respectively. In 
the following we omit to specify the network configuration N when is is clear from the context, i.e., 
we simply write 6[, V[, 0y ; and vy j. 

We say that a device l is stable in A to mean that A N' implies 6[(inA?) = ^i(inA')- Note that 
the following three statements are equivalent: 

• A is stable. 

• All the devices of A are stable. 
m N=^N' implies A = A'. 

We write environment{N) to denote tbe environment E of a network configuration A = {E-,F). We 
say that a device l is self-stable in a network A to mean that it is stable and its value is univocally 
determined by environment(N). Note that a network is self-stable if and only if all its devices are 
self-stable. 

We say that a network A with main expression e = {gq : f (@, gi ,..., g„)} is pre-stable to mean 
that for every device i in A: 

(1) the subexpressions g,- (0 < / < n) are stable, and 

(2) V, < vo,[. 
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We say that the network N is pre-self-stable to mean that it is pre-stahle and the value trees of the 
subexpressions e,- (0 < / < n) are self-stahle (i.e, they are univocally determined hy environment{N)). 
Note that pre-stahility is preserved hy firing evolution (i.e., if N is pre-stahle and N N', then N' 
is pre-stahle). 

An Outline of the Proof of The or em ^^ The proof is hy induction on the syntax of closed expressions 
e and on the number of function calls that may be encountered during the evaluation of e. Let e be the 
main expression of N and E = environment{N). The only interesting case is when e is a spreading 
expression {gq : f ( 0 , ei,... ,e„)}. By induction there exists h>0 such that if N =>/, Ni then on 
every device l, the evaluation of eo,ei,...,e„ produce stable value-trees 6o^i,6ii,... ,6„i, which 
are univocally determined by E. Note that, if N ^2 then N 2 is pre-self-stable. Therefore we 

focus on the case when N is pre-self-stable. The proof of this case is based on the following auxiliary 
results (which corresponds to Lemmas [B.lHB. 6 | of Appendix [B]). 

|B.l| (Minimum value): Any 1-fair evolution N =:>i N' increases the value of any not self-stable 
device i in A such that ;v) is minimum (among the values of the devices in N). The new value 
V;(in^/) is such that there exists a value v' such that < v' < and in any subsequent 

firing evolufion A' =:> N” fhe value of the device l will be always greater or equal to v' (i.e., 

|B.2| (Self-stabilisation of the minimum value): Let Si be the subset of the devices in A such that 
vo,[ is minimum (among the values of gq in the devices in A). There exists k >0 such that any 
^-fair evolution A =^/c A' is such that 

(1) each device i in Si is self-stable in A'. 

(2) in A' each device not in Si has a value greater or equal then the values of the devices in Si 
and, during any firing evolufion, if will always assume values greater fhan fhe values of fhe 
devices in Si. 

|B.3| (Frontier): Lef D be a set of devices. Given a set of stable devices S C D we wrote frontierg(D) 
to denote the subset of the devices i G D — S such that there exists a device l' G S such that i' is a 
neighbour oft. If D are devices of the network and S satisfies the following conditions 

(i) the condition obtained form condition (1) above by replacing Si with S, 

(ii) the condition obtained form condition (2) above by replacing Si with S, and 
(hi) frontierg(D) 7 ^ 0, 

then any 1-fair evolution makes the devices infrontierg(D) self-stable. 

|B.4| (Minimum value not in S): If D are devices of the network and S satisfies conditions (i)-(iii) 
above, satisfies the following condition 
(iv) each device in frontier^iji) is self-stable in A, and 
MCD-S is the set of devices l such that vqjniv) is minimum (among the values of the devices 
in D-S), and Mn/ronficrs(D) = 0, then any 1-fair evolution A =:>i N' increases the value of 
any not self-stable device i in M. The new value is such that there exists a value v' such 

that vqiniv) < v' < vqiniv') and in any subsequent firing evolution N' =:> N" the value of the 
device l will be always greater or equal to v' (i.e., v' < v^jn^y//)). 

|B.5| (Self-stabilisation of tbe minimum value not in S): If D are devices of the network and S 
satisfies conditions (i)-(iv) above, and M C D — S is the set of devices l such that is 

minimum (among the values of the devices in D — S), then there exists k >0 such that any A:-fair 
evolution A =^/c N' is such that there exists a device L in D — S such that Si = S U {li } satisfies 
the conditions ( 1 ) and ( 2 ) above. 
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T 

::= G 

<T,T> 

type 

e 

::= ••• 

1 <e,e> 1 fSt e | snd e 

expression 


Figure 10: Extensions to the syntax of types and expressions (in Fig.[T]) to model pairs 


|B.6| (Pre-self-stable network self-stabilization): For every reachable pre-self-stable network con¬ 
figuration N there exists k >0 such that N =^k N' implies that N' is self-stable. This sixth 
auxiliary result, which concludes our proof outline, follows from the previous five auxiliary 
results. The idea is to consider the auxiliary results B.2 JB.3 and B.5 as reasoning steps that may 
be iterated. We start by applying the auxiliary result |B.2| to produce a non-empty set of devices 
Si that satisfies conditions (1) and (2) above. Then, we rename Si to S and iterate the following 
two reasoning steps until the set of devices S is such tha.t frontier^{Ti) = 0: 

• apply the auxiliary results B.3 and B.5 to produce a non-empty set of devices Si that satisfies 
conditions (1) and (2) above; and 

• rename Si to S. 

Clearly the number of iterations is finite (note that S = D implies/ronfi'prs(D) = 0). If S = D we 
have done. Otherwise note that, since/ronf/prs(D) = 0, the evolution of the devices in D — S is 
independent from the devices in S. Therefore we we can iterate the whole reasoning (i.e., starting 
from the auxiliary result [R2]) on the the portion of the network with devices in D — S. 


6. Extending the Calculus with Pairs 

The calculus presented in Sections and does not model data structures. In this section we 
point out that the definitions and results presented in Sections and are parametric in the set 
of modeled types by considering an extension of the calculus that models the pair data structure. 
Recent works, such as l|3, show that the ability of modelling pairs of values is key in realising 
context-dependent propagation of information, where along with distance one let the computational 
field carry additional information as gathered during propagation. In fact, pairs are needed for 
programming further interesting examples (illustrated in Section [6^ , and their introduction here is 
useful to better grasp the subtleties of our checking algorithm for self-stabilisation, as described in 
next sections. 

6.1. Syntax. The extensions to the syntax of the calculus for modeling pairs are reported in Figure[T0| 
Now types include pair types (like <real ,bool>, <real, <bool ,real»,... and so on), expressions 
include pair construction (<e, e>) and pair deconstruction (f st e or snde), and values includes pair 
values (<1 ,TRUE>, <2,3. 5>, «1 ,FALSE>, 3>,... and so on). 

The ordering for ground types has to be somehow lifted to non-ground types. A naural choice 
for pairs is the lexicographic preorder, i.e, to define <vi, V 2 > <<ti.T 2 > if either vj <xi Vj 

holds or both vi = Vj and V 2 <t 2 hold. 

6.2. Examples. In this section we build on the examples introduced in Section [T2] and show how 
pairs can be used to program further kinds of behaviour useful in self-organisation mechanisms in 
general, and also in the specific case of crowd steering, as reported in Figure [TT] 

The fourth function in Figure[^ called sector, can be used to keep track of specific situations 
during the propagation process. It takes a zero-field source i (a field holding value 0 in a “source”, 
as usual) and a boolean field c denoting an area of interest: it creates a gradient of pairs, orderly 
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def <real,bool> suiii_or(<real,bool> x, <real,bool> y) is <fst x + fst y, snd x or snd y> 
def <real,bool> pt_POSINF_TRUE(<real, bool> x) is ((fst x)=P0SINF) ? <POSINF,TRUE> : x 
def <real,bool> sd_sum_or(<real,bool> x, <real,bool> y) is pt_PQSINF_TRUE(suni_or(x,y)) 
def bool sector(real i, bool c) is snd { <i, c> : sum or(@,<#dist,c>) } 
def <real,real> add_to_lst (<real ,real> x, real y) is <fst x + y, snd x> 

def <real,real> pt_POSINF_POSINF(<real, real> x) is ((fst x)=P0SINF) ? <P0SINF,P0SINF> : x 
def <real,real> sd_add_to_lst(<real,real> x, real y) is ptJPOSINF_POSINF(add_to_lst(x,y)) 
def <real,real> gradcast(real i, real j) is ■[ <i, j> : add to lst(@, #dist) } 

def real dist(real i, real j) is gradcast(restrict(j,j==0),grad(i)) 

def bool path(real i, real j, real w) is (grad(i)+grad(j))+(-w) < dist(i, j) 

def real channeKreal i, real j, real w) is gradobs (grad( j) ,not path(i, j, w)) 


Figure 11: Definitions of examples using pairs (see Fig.j^for the definitions of functions restrict, 
grad and gradobs) 





Figure 12: Pictorial representation of sector field (left), partition (center) and channel field (right) 


holding distance from source and a boolean value representing whether the route towards the source 
crossed area c. As one such gradient is produced, it is wholly applied to operator snd, extracting a 
sector-like boolean held as shown in Figure(left). To do so, we use a special diffusion function 
sum.or working on real, bool pairs, which sums the hrst components, and apply disjunction to the 
second. In crowd steering, this pattern is useful to make people be aware of certain areas that the 
proposed path would cross, so as to support proper choices among alternatives lITTll . Figure [T^ (left) 
shows a pictorial representation. 

However, our self-stabilisation result reveals a subtlety. Function sum.or has to be tuned by 
composing it with pt_POSINF_TRUE (which propagates the top value from the hrst to the second 
component of the pair), leading to function sd_sum_or (which is a stabilising diffusion). This is 
needed to make sure that the top value <P0SINF, TRUE> of pairs of type <real, bool> is used when 
distance reaches POSINF: this is required to achieve progressiveness, and hence self-stabilisation. 
Without it, in the whole area where distance is POSINF we would have a behaviour similar to that 
of Example |3. 8 [ in particular, if c is true and i is POSINF everywhere, both states where all nodes 
have second component equal to true (state ^i) and where all nodes have second component equal 
or false (state S 2 ) would be stable, and an even temporaneous hip of c to false in some node 
would make the system inevitable move to S 2 —a clear indication of non self-stabilisation. 

Note that sector function can be easily changed to propagate values of any sort by changing 
the type of the second component of pairs, and generalising over the or function. E.g., one could 
easily dehne a spreading of “set of values” representing the obstacles encountered during the spread. 
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[T-PAiR] h G] : Ti h 02 : T 2 

[T-FST] \- e : <Ti, T2> 

[T-SND] \- e\ <Ti,T2> 

<ei,e2> : <Ti,T2> 

^ \- fst e '.1\ 

h snd e : T 2 


Figure 13: Type-checking rules for pair construction and deconstruction expressions (cf. Fig.Q 

Another interesting function working on pairs is gradcast, that is useful to let a gradient carry 
some information existing in the source. Expression gradcast (i, j), where i is a 0-field as usual, 
results in a field of pairs in which the first component is the minimum distance from a source and the 
second component is the value of j at that source. Assuming j is a field of unique values in each 
node, e.g. a unique identifier ID, gradcast performs a partitioning behaviour (namely, a so-called 
Voronoi partition): its second component forms a partition of the network into regions based on 
“closeness” to sources, and each region of the partition holds the value of j in that source; first 
component still forms a gradient towards such sources. See Figure [^(center). Again, function 
add_to_lst has to be changed to sd_add_to_lst to preserve self-stabilisation. 

The remaining functions dist, path and channel are used to obtain a spatial pattern more 
heavily relying on multi-level composition, known as channel B6l 1^ . Assume i and j are 0- 
fields, and suppose to be willing to steer people in complex and large environments from area i to 
destination j, i.e., from a node where i holds 0 to a node where j holds 0. Typically, it is important 
to activate the steering service (spreading information, providing signs, and detecting contextual 
information such as congestion) only along the shortest path, possibly properly extended of a distance 
width w to tolerate some randomness of people movement—see Figure [1^ (right). Function dist 
uses gradcast to broadcasts the distance d between i and j—i.e., the minimum distance between a 
node where i holds 0 and a node where j holds 0. This is done by sending a gradcast from the source 
of j holding the value of grad(i) there, which is exactly the distance d. Function path simply 
marks as positive those nodes whose distance from the shortest path between i and j is smaller than 
w. Finally, function channel generates from j a gradient confined inside path(i, j , w), which can 
be used fo steer people towards the POl at j without escaping the path area. 

6.3. Type checking. The typing rules for pair constmction and deconstruction expressions are given 
in Figure[T^ Note that adding these rules to the rules in Fig. [^preserves the property that no choice 
may be done when building a derivation for a given type-checking judgment, so the type-checking 
rules straightforwardly describe a type-checking algorithm (cf. end of Section [3T| ). 

Example 6.1. Consider the library in FigureThe following predicates hold: 

• diffusion{s'um_or), 

• diffusion{sd_su.ui_oz), 

• diffusion{aidd_toAst), and 

• diffusion{sd_aidd_toAst) 

Example 6.2. The library in Figure [TT] type checks by using the ground types, sensors, and type- 
signatures for built-in functions in Figure]^ 


6.4. Device Computation. The big-step operational semantics rules for pair construction and 
deconstruction expressions are given in Figure [T^ Note that they are syntax directed (in particular, 
the first premise of rule [E-pair] ensures that there is no conflict with rule [E-val] of Fig. [^. 






24 


F. DAMIANI AND M. VIROLI 


V ::= g 

<V,V> value 

[E-PAIR] 

<ei,e 2 > not a value a;7r{{d) h ei T]i a;n 2 {d) h 02 T ]2 vi = p(t]i) V2 = p(t] 2 ) 

[E-FST] 

0-, 711 (G) 

a;e h <ei,e2> <vi,V 2 >(t]i,? 72 ) 

[E-SND] 

heJ|T] <vi,V2> = p(t]) a;7ri(e) h e JJ .77 <vi,V2> = p(t]) 

a; 6 h f St e JJ- vi (t]) a; 0 h snd e JJ. ¥2(77) 


Figure 14: Big-step operational semantics for pair construction and deconstruction expressions (cf. 
Fig.|^ 


6.5. Sorts. Each sort has the same structure of the type it refines. For instance, considering the sorts 
for ground types given in Figure]^ we can build 36(= 6 ^) pair sorts for the pair type <real, real>: 

<nr,nr>, <nr,znr>, <nr,zr>, <nr,zpr>, <nr,pr>, <nr,real> 

<real,nr>, <real,znr>, <real,zr>, <real,zpr>, <real,pr>, <real,real> 

and 108(36*3) sorts for the type <<real,real>,bool>: 

<<nr,nr>,f alse>, «nr,znr>,false>, ..., «real,real>,bool>. 

Subsorting between ground sorts can be lifted to the sorts for non-ground types by suitable 
subsorting rules. The following subsorting rule: 

[I-PAIR] Si < S( S2 < S2 

<Si,S2> < <S(,S2> 

lifts subsorting between ground sorts to pair sorts by modelling pointwise ordering on pairs. Note that 
the subsorting relation is determined by the subsorting for ground sorts. Using the inclusions nr < znr 
and true < bool, and the above rule it is possible to derive, e.g., the inclusion «nr,nr>,true> < 
«nr,znr>,bool>. Note that no choice may be done when building a derivation for a given 
subsorting judgment Si < 82 , so the subsorting rules (i.e, the rule [I-pair] and the subsorting for 
ground sorts) describe a deterministic algorithm. 

Similarly, progressive subsorting between ground sorts is lifted to pair-sorts by the following 
progressive subsorting rule: 

[P-I-PAIR] Si S'l Si s; 

<si,s2> <p™g™'=<s;,s'2> 

which (together with the progressive subsorting for ground sorts) describes a deterministic algorithm. 


6 . 6 . Stabilising Diffusion predicate and Properties. The stabilising diffusion predicate (Dehni- 
4.2 1 and the stabilising diffusion condition (Section |4.3[) are parametric in the set of types 


tion 


modeled by the calculus. 


Example 6.3. The library in Figure [^satisfies the stabilising diffusion condition. In particular, the 
following predicates hold: 

• stabilismg{sd_s'um_or, <real,bool>(<real,bool>, <pr,bool>)), and 

• 5mf>//Nmg(sd_add_to_lst, <real,real>(<real,real>,pr)). 
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The statements of device computation type preservation (Theorem |5 .11 1, device computation 
termination (Theorem |5 .211, and network self-stahilisation for programs with valid sort and stabilising 
assumptions (Theorem |5 .31 ) are parametric in the set of types modeled hy the calculus. The proofs 
(see Appendix [A| and Appendix [B]) are indeed given for the calculus with pairs—the cases for pair 
construction and deconstruction are straightforward hy induction. The rest of the paper considers 
the calculus with pairs—in particular, the rules for checking sort and stabilising assumptions for 


diffusions are able to check the examples presented in Section 6.2 


7. On Checking the Stabilising-Diffusion Condition 

The rest of the paper is devoted to illustrate a type-based analysis for checking the stabilising-diffusion 
condition (cf. Section [4^ for the extension of the calculus with pairs introduced in Section 


7.1. A Type-based approach for checking the Stabilising-Diffusion Condition. Recall that the 
stabilising-diffusion condition consists of two parts: 


validity of the sort-signature assumptions (Condition (1) of Section 4.3 and 
validity of the stabilising assumptions (Condition (2) of Section |43 1. 


In order to check the stabilising-diffusion condition we assume that each program P comes with: 

• a non-empty set of sort-signature assumptions s-sigs{f) for each function f; and 

• a possibly empty set of stabilising sort-signature assumptions stb-s-sigs{f) for each diffusion f. 
The assumptions s-sigs{'b) and stb-s-sigs{h) for the built-in functions b are considered valid—they 
should come with the definition of the language. Instead, the validity of the assumptions s-sigs{d) 
and stb-s-sigs{d) for the user-defined functions d must be checked—these assumptions could be 
either (possibly partially) provided by the user or automatically inferred]^ 


7.1.1. On checking Condition (1) of Section \4.3\ Section [^introduces a sort-checking system that 
checks Condition (1) of Section 4.3 Namely, given a program (or library) P, it checks that: (/) each 
user-defined function d in P has all the sort signatures in s-sigs{d) and, if d is a diffusion, it has 
also the sort signatures in stb-s-sigs{d)-, and (//) every diffusion-expressions {ei : f (@,e 2 ,...,e„)} 
occurring in P is sort-checked by considering for f only the sort-signatures in stb-s-sigs{f). The 
soundness of the sort-checking system (shown in Section |8A| ) guarantees that, if the check is passed, 
then for every diffusion-expressions {ei : f (@, 02 ,..., e„)} occurring in the P there is a sort-signature 
S(Si,..., S„) G stb-s-sigs{f) such that the evaluation of the subexpression e,- yields a value v,- G [[S,]] 
(1 < / < n). I.e., Condition (1) of Section [43] holds. 


^The naive inference approach, that is: inferring s-sigsid) by checking all the possible refinements of the type-signature 
of d is linear in the number of elements of sort-signatures(f-J!g(d)). Some optimizations are possible. We do not address 
this issue in the paper. 
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7.1.2. On checking Condition (2) of Section 4.3 Note that, if Condition (1) of Section 4.3 has 


been checked hy the sort-checking system of Section then in order to check Condition (2) of 
Section 4.3 holds it is enough to check that for each user-defined diffusion d, each sort-signature 
S(Si,..., S„) G stb-s-sigs{d) is stabilising for d. 

In order to check that for each user-defined diffusion d of signature Ti (Ti,..., T„) each sort- 
signature S(Si,...,S„) G stb-s-sigs{d) is stabilising for d, we introduce additional requirements. 
Namely, we require that for every user-defined diffusion d such that stb-s-sigs{d) 0: 

(1) there exists a sort-signature S(---) G stb-s-sigs{d) such that G stb-s-sigs{d) implies 

S ^progressive 3/. 

(2) if Ti is not ground (i.e., if it is a pair type), then the user-defined diffusion d is of the form 

def Ti d(Ti xi,...,T„x„) is pt[Ts](f (xi,... ,x„)) (7.1) 

where 

• pt[T s] (defined in Section [TI] ) is a pure function of sort-signature S(S), 

• f is a diffusion, and 

• if f is user-defined then stb-s-sigs{i) = 0. 

Note that the above additional requirements can be checked automatically. 

In the rest of this section we first (in Section f/Tj ) introduce some auxiliary definitions (including, 
for each sort S, the definition of the pure function pt[Ts]); then (in Section 7.31 we introduce the 
notion of !-prestabilising diffusion with respect to a progressive sort-signature S[S\ ,..., 5„) and 
show that 


• S ground implies that: if S(Si,..., S„) is ! -prestabilising for the user-defined diffusion d then 
S(Si,..., S„) is stabilising for d; 

• if S(Si,..., S„) is ! -prestabilising for the diffusion f then S(Si,..., S„) is stabilising for the user- 
defined diffusion d displayed in Equation [TTTJ and 

finally (in Section [T!4| ) we introduce annotated sort-signatures and annotated sorts as convenient 
notations to be used in writing type-based rules for checking ! -prestabilisation. 

Section [^introduces an annotated sort checking system that checks that for each user-defined 
diffusion d of signature Ti (Ti,..., T„) and for each sort-signature S(Si,..., S„) G stb-s-sigs{d): 

• S ground implies that S(Si,..., S„) is ! -prestabilising for d; and 

• S not ground implies that S(Si,..., S„) is ! -prestabilising for the diffusion f occurring in Equa¬ 
tion [TT] 

The soundness of the annotated sort checking system (shown in Section [93] ) guarantees that, if the 
check is passed, then Condition (2) of Section[43[holds. 


7.2. Auxiliary definitions. Eor any type T the leftmost-as-key preorder <]. is the preorder that 
weakens the order <t by considering each pair as a record where the leftmost ground element is the 
key. It is defined by: 

• V <], v' if V <T v', where T is a ground type; and 

• <Vi,V2> <<Ti,T 2> if Vi v'j. 

Note that that the leftmost-as-key preorder is total, i.e., for every v,v' G [[Tj] we have that either 

V <]. v' or v' <1 V holds. We write v =]■ v' to mean that both v < j v' and v' <]• v hold. Of course 

V =]. v' does not imply v =t v'. Note also that v <j v' implies v <t v'. 

Eor every sort S of T, we wrote <g to denote the restriction of <]■ to [[S]]. According to the 
previous definition, we define the key of a sort S as the the leftmost ground sort occurring in S, 
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and the key of a value v as the the leftmost ground value occurring in v. The key mappings can he 
inductively defined as follows: 

• key{^) = S, if S is a ground sort 

• /:py(S) =^ey(Si), if S = <Si,---> 
and 


• key{v) = V, if V is a ground value 

• A:ey(v) = ^ey(vi), if V = <vi, • • • >. 

Note that, for every v and v' of sort S it holds that: 

V <g v' if and only if key{v) <^.gy(^^^key{v'). (7.2) 


For every sort S of type T we write pt [Ts] to denote the pure function (which satisfies the 
sort-signature S(S)), that maps the elements v such that v =g Ts to Ts (i.e., that propagates the 
top value from the key of a pair value to all the other components of the value), and is the identity 
otherwise. Note that the function pt[Ts] can he inductively defined as: def T pt[Ts](T x) is e, 
where 


_ j X if S is ground 

pt[Ts,](fstx) = TsO?Ts :x if Ts = <Ts^ • • • > 

For every diffusion f with signature!i (Ti,..., T„) and sort signature S(Si,..., S„) (n > 1) we 
write sd[f ,Ts] to denote the composition of f and pt[Ts], which is the diffusion (which satisfies fhe 
sorf-signafure S(Si,..., S„)) defined as follows: 


def Ti sd[f,Ts](Ti xi,...,T„ x„) is pt[Ts](f (xi,... ,x„)) 


7.3. ! -Prestabilising Diffusions and ?-Prestabilising Diffusions. A tt- prestabilising diffusion is 
a diffusion whose progressiveness behaviour is expressed by the annotation n that ranges over ! (for 
certainly prestabilising) and ? (for possibly prestabilising), as illustrated by the following definition. 


Definition 7.1 (tt -prestabilising diffusion). A diffusion f is K-prestabilising with respect to the 
progressive sort signature S(SiS) G sort-signatures (f) (notation K-prestabilising{i ,S{S\S))) if for 
any v G [[^]: 

(1) if 71 = ! then 

• V v' and [[f]](v,v) = v" Tsi imply v" <1^ [[f]](v',v); 

• forallvG [[Si]]-{Ts,}, v<^, [[f]](vT); 

(2) if TT G { !, ?} then 

• V v' implies [[f]](v,v) [[f]](v',v); 

• for all V G [[Si]], v [[f]](v,v). 


We say that the sort-signature S(S) is K-prestabilising for f to mean that K-prestabilising{i ,S{S)) 
holds, and write 7r-prestabilising-sort-signatures(f ) to denote set of the Ti-prestabilising sort- 
signatures for f. 

Recall the definition of sd[f, Ts] given at the end of Section 7.2 The following proposition 
guarantees that if S(S) is ! -prestabilising for the diffusion f then: 

• S ground implies that S(S) is stabilising for f; and _ _ 

• S(S) is stabilising for the user-defined diffusion d displayed in Equafion |7.l| of Secfion 7.2 

Proposition 7.2. (1) if S is ground then: !-stabilising(f,S{S)) implies stabilising{f,S{S)), i.e, 

!-prestabilising-sort-signatures (/) C stabilising-sort-signatures{f). 
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(2) !-stabilising{f,S{S)) implies stabilising{sd[f,Ts\,S{S)), i.e, 

l-prestabilising-sort-signatures (/) C stabilising-sort-signatures (s d[f, S ]). 

Proof. Straightforward from Definition |7.1[ Definition |4.2[ and the definition of sd[f, S]. □ 

Example 7.3. Consider the libraries in Figure]^ and [TT] The following predicates hold (cf. Exam¬ 
ples!?^ an d|63]): 

• !-5tafi//Emg(+,real(real,pr)) and ?-5tfl;fi/ZEmg(+,real(pr,zpr)) 

• ! -5tafi/ZEmg(max,pr(znr,pr)) and ?-5tafi/Z/5'mg(niax,real(real,real)), where max is the the 
binary maximum function: 

def max(real x, real y) is x < y ? y : x 

• ?-5taZ7/ZEmg(id, real (real)) 

• ?-5taZ7/ZEmg(restrict,real(real,bool)) 

• ! -5taZ7ZZZ5Z?ig(restrictSum,real(real,pr,bool)) 

• ! -stabilising{sum_or, <real,bool>(<real,bool>, <pr,bool>)) 

• ! -5taZ7ZZZ5Z?ig(add_to_lst, <real,real>(<real,real>,pr)) 


7.4. Annotated Sort-Signatures and Annotated Sorts. In order to be able to write type-based 
rules for checking Ti-stabilisation we introduce, as convenient notations, annotated sort-signatures 
and annotated sorts. 

An annotated sort-signature S(S) [tt] is a progressive sort-signature (cf. Definition 4.4 1 
with a 71 annotation. It provides a convenient notation to express the fact that the predicate 
7i-prestabilising{f,S{S)) holds. Namely, we say that a diffusion f has (or satisfies) the anno¬ 
tated sort-signature S(S) [tt] to mean that the predicate 7i-prestabilising{f ,S{S)) holds. We write 
7r-annotated-sort-signatures(f) to denote the set of the annotated sort-signatures with annota¬ 
tion 71 that are satisfied by the diffusion f , and we write annotated-sort-signatures(f ) to denote 
! -annotated-sort-signatures(f) U ?-annotated-sort-signatures(f). 

The support of an annotated sort signature S(S) [tt] is the progressive sort signature S(S). 
Given an annotated sort-signature S(S) [tt] we write |S(S) [tt] | to denote its support. Note that, 
according to the above definitions, the mapping 7r-annotated-sort-signatures(-) provides the same 
information of the mapping 7r-prestabilising-sort-signatures(-) introduced in Section 7.3 i.e., 
TT-prestabilising-sort-signatures (f) = | Ti-annotated-sort-signatures (f) |. _ 

Given a diffusion type-signature T(TT) (cf. Definition 3.2 1 we write 


annotated-sort-signatures(T(TT)) to denote the (set of) annotated sort-signatures that refine it, i.e., 
the set 


{S(S'S) [tt] I S(S'S) G progressive-sort-signatures(T(TT)) and tt G {!,?}}. 

Recall the stabilising subsigning partial order between progressive signatures introduced at 
the end of Section |4.2| The following order between progressiveness annotations, that we call 
subannotating relation and denote by <, 

7 

I 

I 
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induces the following partial order between annotated sort-signatures, that we call annotated sub- 
signing: 

[I-A-SIG] S(SiS) <^tabilising 3 /( 3 /g') 

S(SiS) [TT] < S'(S'i&') M 

The following proposition shows that annotated subsigning captures the natural implication relation 
between tt- prestabilisation properties. 


Proposition 7.4 (Sounness of annotated subsigning). If the diffusion / satisfies the the annotated 
sort-signature S{S) [7l] and S{S) [tl] < S'(S^) [it'], then / satisfies S'(S') [it']. 

Proof Straightforward from Definition |7T] and the definition of annotated subsigning (Rule [I-a-siG] 
above). □ 

We say that an value v has (or satisfies) annotated sort S[ [tt] fo mean fhaf v has sorf Sj, and 

• the application of any diffusion with annotated sort signature S(Si,...,S„) [tt] such that both 
key{S\) <pi-°gressive key{Si) and S'j < Si hold 

• to V and to values V 2 ,... ,v„ of sorts S 2 , ...,3^ (respectively) such that s' 2 <s 2 ,...,s;,<s„, 
produces a result of annotated sort S[7r"], where n” = 7i{jl'). According to this definition, the 
following property holds. 


Proposition 7.5 (Annotated sorts for ground values). For every sort S G sorts{T) the maximum 
element v of [[S]] w.r.t. <5 has both sort S[!] and sort S[?]. 


Proof Straightforward from Definition 7.1 


□ 


The following partial order between annotated sorts, that we call annotated subsorting, models the 
natural implication between the properties they represent: 

[I-A-SORT] keyis) s < 3/ 

S [tt] < s' [;r'] 


The support of an annotated sort S [tt] is the sort S. Given an annotated sort A we write |A| to denote 
its support. 


8. Checking Sort-Signature Assumptions for User-Defined Functions 

In this section we present a decidable sort-checking system that guarantees that if a program (or 
library) P is w ell-s orted (i.e., it can be successfully checked by the rules of the system) then Condition 
(1) of Section 43 holds. 

We first introduce some auxiliary definitions (in Section 8.1 1 ; then we consider the issue of 
associating sorts to values and sensors (in Section [ 8 ^ , sort-signatures to functions (in Section [O] ) 
and stabilising sort-signatures to diffusions (in Section [ 8 ^ ; and finally we presenf a decidable sorf 
system for checking the correctness of sort-signature declarations for user-defined functions (in 
Section [O]) and show that it is sound (in Section [ 8 l^. 


^Note that, in this section, we do not use the additional requirements (1) and (2) introduced at the beginning of 
Section [7.1.2| This generality might become useful since Condition (2) of Sectionmight be checked by using a 
technique different from the one presented in Sectionj^ 
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8.1. Auxiliary Definitions. The auxiliary definitions presented in this section will he used (in 
Section [83| ) to formulate the sort-checking rules for function applications and spreading expressions. 

Recall that for every type T and type-signature T(T) both (sorts(T) ,<) and 
(sort-signatures(T(T)), <) are partial orders (cf. Section |4.l[ ). Sort checking an expression 
e of type T amounts to compute an abstract interpretation II15II over these partial orders. 

Given a partial order (P, <) and a subset 2 of P we say that: 

• an element £ G is minimal in Q to mean that: if ^ G G and q <qo then q = qo —the set of the 
minimal elements of Q is denoted by mininials{Q)-, 

• G is minimised to mean that every <7 G G is minimal in Q, i.e., that Q = minimals{Q). 

Given a set of sort-signatures Q C sort-signatures (T(T)) and some sorts G 
sort-signatures (T), consider the (possibly empty) subset of Q defined as follows: 

G(s') = {s(s)gG|s'<s}. 

We say that Q is deterministic, notation deterministic(Q), to mean that for all sorts there exists a 
sort-signature S(S) G G(S^), called the most specific sort-signature for s' in Q, such that: 

for all S"(S") G G(s') it holds that S < S". 

The mapping ms{Q, s'), given a deterministic set of sort-signatures Q C sort-signatures(T(T)) and 
some sorts S G sort-signatures (T), returns the most specific sort-signature for S in Q if G(S ) is 
not empty, and is undefined otherwise. 

8.2. Sorts for Values and Sensors. We assume a mapping sort{-) that associates: 

• to each ground value g the minimum (w.r.t. <) sort sort{g) in sorts(g), and 

• to each sensor s the minimum (w.r.t. <) sort sort{s) in sorts(type(5)) such that g G [[ 5 ort( 5 )]] for 
every ground value g that may be returned by s. 

Example 8.1. Figure [T^illustrates the sorts for the ground values and sensors used in the examples 
introduced throughout the paper. 


8.3. Sort-signatures for Functions. We assume a mapping s-sigs{-) that associates to each built-in 
function b a set of sort-signatures s-sigs{'h) C sort-signatures(b) such that the following conditions 
are satisfied: 

• s-sigs{'b) is non-empty, minimised and deterministic, and 

• s-sigsijo) represents all the sort-signatures satisfied by f, i.e., for each S'(S^) G sort-signatures(b) 
there exists S(S) G 5-«g5(b) such that S(S) < S'(S^) holds. 

Note that the first of the above two conditions on the mapping s-sigs^h) can be checked automatically. 

Example 8.2. Figure [T^ illustrates the sort-signatures for built-in functions used in the examples 
introduced throughout the paper. 

We also assume that the mapping s-sigsf) associates to each user-defined function d a set of 
sort-signatures s-sigs{d) C sort-signatures (t-5/g(d)) such that the following conditions are satisfied: 

• s-sigs{d) is non-empty, minimised and deterministic, and 

• s-sigs{d) contains at least a sort-signature which is smaller than the type-signature t-sig{d), i.e., 
there exists S(S) G s-sigs{d) such that S(S) < t-sig{d) holds. 

Note that the above two conditions on the mapping s-sigs{d) can be checked automatically. 
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Ground values 

sort: 





sort{FALSE) 

= false 




TOrt(TRUE) 

= true 





sort{g) 

= nr, 

if 

type{g) = real 

and 

g < 0 

sort{g) 

= zr, 

if 

g = 0 



sort{g) 

= pr, 

if 

type{g) = real 

and 

g > 0 

Sensors sort: 






5 ort(#src) 

= zpr 





5 ort(#dist) 

= pr 






Figure 15: Sorts for ground values and sensors used in the examples (cf. Figure]^ 


8.4. Stabilising Sort-signatures for Diffusions. We assume a mapping stb-s-sigs{-) that associates 
to each built-in diffusion b a (possibly empty) set of sort-signatures stb-s-sigs{'b) such that the 
following conditions are satisfied: 

• stb-s-sigs{'b) is minimised and deterministic; 

• stb-s-sigs{h) C stabilising-sort-signatures(b); and 

• stb-s-sigs(b) represents all the stabilising sort-signatures satisfied by b, i.e., for each S'(S^) G 
stabilising-sort-signatures(b) fhere exisfs S(S) G stb-s-sigs{'b) such fhaf S(S) < S'(S^) holds. 

Note that the first of the above three conditions on the mapping stb-s-sigs^b) can be checked 
automatically. 


Example 8.3. Figure [TT] gives the stabilising sort-signatures for the built-in diffusions b used in 
the examples introduced throughout the paper—the built-in diffusions without stabilising sort- 
signatures are omitted. Note that stb-s-sigs{+) % s-sigs{-\-), since the stabilising sort-signature 
real(real,pr) G stb-s-sigs{+) is not minimal in U {real(real,pr)} and therefore it 

cannot be included in s-sigs {+)—it would break both the requirement that s-sigs{+) must be 
minimised and deterministic (condition (1) at the beginning of Section[7.1.2[). 


We also assume that the mapping stb-s-sigs{-) associates to each user-defined diffusion d a 
(possibly empty) set of stabilising sort-signatures stb-s-sigs{d) C stabilising-sort-signatures(d) 
such that the following conditions are satisfied: 

• stb-s-sigs{d) is minimised and deferminisfic, and 

• stb-s-sigs{d) is implied by s-sigs{d), i.e., for each S'(S ) G stb-s-sigs{d) fhere exists S(S) G 
^-^^^(d) such that S(S) < S'(S^). 

Note that the above two conditions on the mapping stb-s-sigs{d) can be checked automatically. 


Example 8.4. We assume that for the user-defined functions d used in fhe examples introduced 
throughout the paper 

s-sigs{d) = minimals{{t-sig{d)} Ustb-s-sigs{d)). 

Figure gives minimised deterministic sets of stabilising sort-signatures that allow to successfully 
check the user-defined diffusions d used in fhe examples infroduced in fhe paper—nofe fhaf bofh fhe 
additional requiremenfs (1) and (2) given af fhe beginning of Secfionj^are satisfied. 
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s-sigs{iiot) 

= true(false), 
f alse(true), 
bool(bool) 

s-sigs{or) 

= false(false,false 
true (true, bool), 
true (bool, true), 
bool(bool,bool) 

s-sigs{-) 

= nr(pr), 
znr(zpr), 
zr(zr), 
zpr(znr), 
pr(nr), 
real(real) 

s-sigs{+) 

= nr(nr,znr), 
nr(znr,nr), 
znr(znr,znr), 
zr(zr,zr), 
zpr(zpr,zpr), 
pr(zpr,pr), 
pr(pr,zpr), 
real(real,real) 

s-sigs{=) 

= f alse(znr,pr), 
false(nr,zpr), 
f alse(zpr,nr), 
false(pr,znr), 
true(zr,zr), 
bool(real,real) 

s-sigs{<) 

= false(zpr,nr), 
false(pr,znr), 
false(zr,zr), 
true(nr,zpr), 
true(znr,pr), 
boolfreal,real) 


Figure 16: Sort-signatures for built-in functions used in the examples (cf. Figure 


stb-s-sigs{oz) 

= false(false,false). 


true (true, bool), 


true(bool,true) 

stb-s-sigs{+) 

= zr(zr,zr). 


pr(zpr,pr). 


real(real,pr) (^j-«g5(+)) 


Figure 17: Stabilising sort-signatures for built-in functions used in the examples (cf. Figure [T^ 
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5 'th-5-5/g5(restrictSum) 

= real(real,pr,bool), 

5'th-5-5/g5(sd_sum_or) 

= <real,bool>(<real,bool>,<pr,bool>) 

5 'th-5-5/g5(sd_add_to_lst) 

= <real,real>(<real,real>,pr) 


Figure 18: Stabilising sort-signatures for the user-defined functions used in the examples 


^ h e : S 


[S-SNS] 


[S-GVAL] 


Expression sort checking: 

[S-VAR] 

=5^,x:Shx:S sort{s) y'rg\ sort{g) 

[s-PAiR] =5^ h ei : Si ^ h 02 : S2 [s-fstj y \- e\ <Si,S 2 > [s-snd] =5^ h e : <Si,S 2 > 


^ h <ei,e2> : <Si,S2> ^hfsteiSi = 5 ^ h snd e : S2 

[s-coND] =5^ h eo : bool =yi-ei:Si =5^1- 02:32 S = sup^{Si,S 2 ) 

h eo?ei:02 : S 

[S-COND-TRUE] ^ h bq '■ truo ^ h oi : Si h 02 : S 2 

^ h eo?ei:02 : Si 

[S-COND-FALSE] =5^ h oq : f also ^ h oi : Si =5^ h 02 : S 2 

oo?ei :02 : S 2 

[S-FUN] =5^ h 0 : S S(-• •) =), S) 


f(e) : S 

[S-SPR] dijfusion{f) .5^ h Ooe : SqS S'[■ ■ ■) =ms{stb-s-sigs{f),SQS) S = 3'Mp<(So,S') 

^h{oo:f(@,e)}:S 

User-defined function sort checking: 

[S-DEF] for all S(S) G ^-^/^^(d), x : S h o : S' S'< S 
h dof T d(T x) is o : ^-^/^^(d) 


hD:S(S) 


Figure 19: Sort-checking rules for expressions and function definitions 


8.5. Sort Checking. In this section we present a decidable sort checking system for user-defined 
functions to check whether the sort-signature declarations provided by the mapping s-sigs{-) are 
correct. The sort-checking rules are given in Figure [T^ Sort environments, ranged over by .5^ 
and written x : S, contain sort assumptions for program variables. The sort-checking judgement 
for expressions is of the form =5^ h e : S, to be read: e has sort S under the sort assumptions .5^ 
for the program variables occurring in e. Sort checking of variables, sensors, ground values, pair 
constructions and deconstructions, and conditionals is similar to type checking. In particular, ground 
values and sensors are given a sort by construction by exploiting the mapping sort{-) introduced in 


Section 8.2 and the sort assigned to a conditional-expression is: 


the least upper bound 5Mp<(Si, S 2 ) of the sorts assigned to the branches (cf. Section 4.1 1 when the 
condition has sort bool; 

the sort assigned to the left branch when the condition has sort true; and 
the sort assigned to the right branch when the condition has sort false. 
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The sort-checking rule [S-fun] for function application exploits the mapping s-sigs{-) introduced in 
Section 8.3 and the auxiliary mapping introduced in Section 8.1 It first infers the sorts S for 


the arguments e of f, then uses the most specific sort-signature for S in s-sigs{f) for assigning to 
the application f (e) the minimum sort S that can he assigned to f (e) hy using for f any of the sort 
signatures in s-sigs{f). 

In a similar way, the sort-checking rule [S-SPR] for spreading expressions first infers the sorts SqS 
for eoe, then retrieves the most specific sort-signature for SqS in stb-s-sigs{i), S(- • •), and finally 
assigns to the spreading expression the the least upper hound of So and S. 

The sort-checking rule for function definitions (which derives judgements of the form h 
D : S(S), where S(S) = and n > 1) requires to check the definition D of a 

user-defined function d with respect to all the sort-signatures in s-sigs{d). 

We say that a program (or library) P is well sorted to mean that all the user-defined function 
definitions in P sort check hy using the rules in Figure [T^ 

Since no choice may he done when building a derivation for a given sort-checking judgment, the 
sort-checking rules straightforwardly describe a sort-checking algorithm. 


Example 8.5. All user-defined functions provided in the examples in Sections 2.2 and 6.2 sort check 
by assuming the ground sorts and the subsorting given in Figure the sorts for the ground values 
and sensors given in Figure [T^ the sort-signatures for built-in functions given in Figure [T^ the 
stabilising sort-signatures for built-in functions given in Figures [T^and the stabilising sort-signatures 
for user-defined diffusions given in 18 


8 .6. Sort Soundness of Device Computation. In order to state the correctness of the sort-checking 
system presented in Section |8.5| we introduce the notion of set of well-sorted values trees for an 
expression, which generalizes to sorts the notion of set of well-typed values trees for an expression 
introduced in Section ISTTl 

Given an expression e such that x : S h e : S, the set WSVT{x : S,e,S) of the well-sorted 
value-trees for e, is inductively defined as follows: Q G WSVT{x : S, e, S) if there exist 

• a sensor mapping a; 

• well-formed tree environments 6 G WSVT{x : S, e, S); and 

• values V such that lengthiy) = length{x), 0 h v : and < S; 

such that a;d \- e[x := v] Ij. 6 holds—note that this definition is inductive, since the sequence of 
evaluation trees 6 may be empty. 

The following theorem guarantees that from a properly sorted environment, evaluation of a 
well-sorted expression yields a properly sorted result. 

Theorem 8.6 (Device computation sort preservation). If x : S \- e ■. S, G is a sensor mapping, 
6 G WSVT{x : S, e,S), lengthiy) = length{x), (d\- v : ^ < S, and a ;6 h e[x := v] JJ. d, then 

0 h p(F) : ^ for some ^ such that ^ < S. 

Proof See Appendix]^ □ 

Remark 8.7 (On the relation between type checking and sort checking). A sort system should be such 
that all the programs (or libraries) accepted by the sort system are accepted by the original type system 
and vice-versa (cf. the discussion at the beginning of Section |4~T] ). However, the sort system consid¬ 
ered in this paper has a peculiarity: it checks that every diffusion-expressions {ei : f ( 0 , ei,..., e„)} 
occurring in P is sort-checked by considering for f only the sort-signatures in stb-s-sigs{f )—which 
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is assumed to be such that for all S(S) G stb-s-sigs{t) the predicate stabilising{f ,S{S)) holds. There¬ 
fore, some well-typed programs (or libraries)—including all the non-self-stabilising programs (like 
the one considered in Example |3.81 ) —do not sort check. 

The standard relation between the sort system and the type system that it refines holds for 
programs (or libraries) that do not contain spreading expressions. I.e., all the programs (or libraries) 
that do not contain spreading expressions that accepted by the original type system are accepted by 
the sort system and vice-versa. In particular, whenever all the sorts are trivial (i.e., sorts(T) = {T}, 
for every type T) we have that, on programs (or libraries) that do not contain spreading expressions, 
the sort checking rules (in Figure [T^ behave exactly as the type-checking rules (in Figure]^. 


9. Checking Stabilising Assuptions for User-Defined Dieeusions 


In this section we present a decidable annotated sort checking system that guarantees that if a 
program P is well-sorted (i.e., it can be successfully checked by the rules of the system given in 
Section and, therefore, satisfies Condition (1) of Section guarantees that, under the additional 
requirements (1) and (2) introduced at the beginning of Section [7. 1.2 if P is well-annotated (i.e., it 
can be successfully checked by the rules of the system) then Condition (2) of Section 4.3 holds, and 
hence self-stabilisation follows. 

To this aim, under the additional requirements (1) and (2) introduced at the beginning of 
Section]^ we assume that each program P comes with a mapping a-s-sigs{-) that associates to 
each diffusion f a (possibly empty) set of annotated sort-signatures a-s-sigs{f) (we write n-s-sigs{-) 
to denote the mapping such that 7i-s-sigs{f) = {S(S) [tt] | S(S) [tt] G )}) such that the 

following conditions are satisfied: 

• for every diffusion f of type T(-••), if T is ground, then 5t(7-5-5'/g5(f) = |.'-5-5/g5'(f )|; 

• for every user-defined diffusion d of the form displayed in Equation |7.1| of Section [7^ consider 
the function f occurring in the body of d: 

- if f is built-in function, then stb-s-sigs{d) C |.'-5-«g5(f )|, and 

- if f is user-defined, then stb-s-sigs{d) = |.'-5-«g5(f )|. 

Note that the above conditions (which can be checked automatically) imply that, for every user 
defined function d, the value of stb-s-sigs{d) is completely defined by the mapping a-s-sigs{-) — 
therefore, there is no need to explicitly define the value of stb-s-sigs{-) for user-defined diffusions. 
The assumptions a-s-sigs{'b) for the built-in functions b are considered valid—they should come with 
the definition of the language. Instead, the validity of the assumptions a-s-sigs{d) for the user-defined 
functions d must be checked—these assumptions could be either (possibly partially) provi ded b y the 
user or automatically inferredTherefore, in order to check that Condition (2) of Section 4.3 holds, 
it is enough to check that each the user-defined diffusions d of P has all the annotated sort signatures 
a-s-sigs{d). 

We first introduce some auxiliary definitions (in Section [9T| ), then we consider the issue of asso¬ 
ciating annotated sort-signatures to diffusions (in Section [9^ and the issue of associating annotated 
sorts to values (in Section [93] ), and finally we present a decidable annotated sort checking system 
for checking the correctness of annotated sort-signature declarations for user-defined diffusions (in 
Section |93|) and show its soundness (in Section|93|). 


^The naive inference approach, that is: inferring a-s-sigs{d) hy checking all the sort-signature of d is linear in the 
number of elements of s-sigs{d). Some optimizations are possible. We do not address this issue in the paper. 
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9.1. Auxiliary definitions. In this section we adapt the notions of minimal set of sort-signatures, 
deterministic set of sort signatures and most specific sort-signature (cf. Section |8.1[ ) to annotated 
sort-signatures. These notions will he used (in Section 9.4 1 to formulate the annotated sort-checking 
rules for function applications. 

Given a diffusion signature T(TT) and a set of annotated sort-signatures Q C 
annotated-sort-signatures(T(TT)), an annotated sort Sj [tt'] such that Sj G sort-signatures (Ti) 
and some sorts G sort-signatures (T), consider the (possibly empty) subset of Q defined as fol¬ 
lows: 


e(S'i [tt'] s') = {S(SiS) [tt"] G Q I key{S[) key{Si), S'l < Sj and s' < S}. 

We say that Q is deterministic, notation detenninistic{Q), to mean that for all [tt'] s' there exists an 
annotated sort-signature S(SiS) [tt] G 2(Sj [tt'] s'), called the most specific annotated sort-signature 
for s' in Q, such that: 

for all S"(S") [tt"] g Q{S\ [tt'] s') it holds that S [71(71')] < S" [ 7 r"( 7 r')]. 

The mapping mx(2, Sj [tt'] s'), given a deterministic set of sort-signatures Q C 
annotated-sort-signatures(T(TT)), an annotated sort S^ [tt'] such that Sj G sort-signatures(Ti) 
and some sorts s' G sort-signatures (T), returns the most specific annotated sort-signature for 
Sj [ti'] S in Q if 2(Sj [ti'] S ) is not empty, and is undefined otherwise. 


9.2. Annotated Sort-Signatures for Diffusions. The mapping a-s-sigsf) and the conditions that 
provides its link with the mapping stb-s-sigs{) have been illustrated at the beginning of Section]^ 
Here, we illustrate some additional condition that is needed to simplify the formulation of the 
annotated sort checking rules and to guarantee their soundness. 

We assume that for each built-in diffusion b the (possibly empty) set of annotated sort-signatures 
a-s-sigs{h) is such that the following conditions are satisfied: 

• a-s-sigs{b) is minimized and deterministic; 

• a-s-sigsifi) C annotated-sort-signatures(b); and 

• a-s-sigsih) represents all the annotated sort-signatures satisfied by b, i.e., for each S'(s') [tt'] G 
annotated-sort-signatures(b) there exists S(S) [tt] G a-s-sigs{\r) such that S(S) [tt] < 
s'(s') [tt'] holds. 

Note that the first of the above three conditions on the mapping a-s-sigsih) can be checked automati¬ 
cally. 

Example 9.1. Figure [^illustrates the annotated sort-signatures for the built-in diffusions used in 
the examples introduced thought the paper. 

We also assume that for each user-defined diffusion d the (possibly empty) set of annotated 
sort-signatures a-s-sigs{d) is minimized and deterministic (note that this condition can be checked 
automatically). 

Example 9.2. Figure [^ gives minimal deterministic sets of annotated sort signatures for the user- 
defined 71-prestabilising diffusions that allow to successfully check the user-defined diffusions used 
in the examples introduced thought the paper. 
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a-s-sigs{or) 

= false(false,false)[!], 


true(true,bool)[!], 


true(bool,true)[!] 

a-s-sigs{+) 

= nr(nr,zr)[?], 


znr(znr,zr)[?], 


zr(zr,zr)[!], 


zpr(zpr,zpr)[?], 


pr(zpr,pr)[!], 


pr(pr,zpr)[?], 


real(real,zpr)[?], 


real(real,pr)[!] 


Figure 20: Annotated sort signatures for built-in tt- prestabilising diffusions used in the examples (cf. 
Figure [T^ 


a-x-x/gx(restrict) 

= real(real,bool)[?] 

fl;-x-x/gx(restrictSum) 

= real(real,pr,bool)[! ] 

a-x-x/gx(sum_or) 

= <real,bool>(<real,bool>,<pr,bool>)[!] 

a-x-x/gx(add_to_lst) 

= <real,real>(<real,real>,pr)[!] 


Figure 21: Annotated sort signatures for the user-defined tt- prestabilising diffusions used in the 
examples (ef. Figure [TS]) 


fl-xorf(FALSE) 

= false[!] 

a-xorf(TRUE) 

= true[!] 

a-sort(0) 

= zr [!] 

a-wf(POSINF) 

= pr[!] 


Figure 22: Annotated sorts for the ground values used in the examples 

9.3. Annotated Sorts for Values. We assume a partial mapping a-sort{-) that for eaeh ground value 

g: 

• returns the annotated sort sort{g) [! ], if g is the maximum element of [[xoA(g)]] w.r.t. <(ypg(g), and 

• is undefined, otherwise. 

Note that Proposition |7^ guarantees the soundness of the mapping a-sort{-). 

Example 9.3. Figure [^illustrates the ! -annotated sorts for the ground values used in the examples 
introduced thought the paper. 


9.4. Annotated Sort Checking for User-Defined Diffusions. In this section we present a decidable 
annotated sort checking system to check whether the Ti-annotated sort-signature assumptions for 
the user-defined diffusions d provided by the mapping a-s-sigs{-) are correct. The annotated sort¬ 
checking rules are given in Figure]^ 
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Pure expression annotated sort checking: 

[A-VAR] 

: S[?] h X : S[?] 


iz/ h e : A 

[A-GVAL] T^gy(S)=g 

X : S [?] h g : a-sort{g) 


[A-PAiR] 32/ h ei : Si [tt] \£/\ h 62 : S 2 

£/ h <ei,e2> : <Si,S2> [tt] 


[A-FST] ^ h e : <Si, S 2 > [?r] 
£/ h f St e : Si [tt] 


[A-coND] |32/| h eo : bool s^\-e\\ki 32 /h 02 : A 2 A = ra/?<(Ai,A 2 ) 

^ h eo?ei:02 : A 


[A-coND-TRUE] |j2/| h oq : truo J2/ h oi : A |j2/| h 02 : S 
h oo?ei :02 : A 


[A-COND-FALSE] \s2/\ h Oq : f alSO |^| h 0 1 ! S h 02 : A 

J2/ h oo?ei: 02 : A 


[A-FUN] 

J2/h oi : Si [tt"] |^||-e:S S(-• •) [tt'] G),SiS) 

J 2 / h f (oi,e) : S [tt] 

User-defined diffusion annotated sort checking: 

[A-DEF] 

for all S(SiS) [tt] G a-5-«g5'(d), 

X : Si [?] S h o : S' [tt'] S' [tt'] < S [tt] 
h dof T d(T x) is o : a-5-5/g5(d) 


71 = 7l'{7l") 


hD:S(S) [tt] 


Figure 23: Annotated sort checking rules for expressions and diffusion definitions 


The check a user defined diffusion d has fhe annofafed sorf signafure (Si,S„)S [tt] can be 
done by assuming annofafed sorf Si [?] for fhe firsf formal paramefer of d, assuming sorfs S 2 , S„ 
for fhe ofher formal parameters of d, and frying fo assign fo fhe body of d an annofafed sorf S' [tt'] 
such fhaf s' [tt'] < S [tt] . According fo fhis observation we infroduce fhe notion of annotated 
sort environments, ranged over by 32 / and written x : S [?], x : S, fhaf confain one ?-annofafed sorf 
assumption and some (possibly none) sort assumptions for program variables. The annofafed sorf 
checking rule for user-defined diffusions [A-def] (which derives judgemenfs of fhe form h D : S(S) [tt] ) 
uses fhis sfrafegy fo check fhaf fhe definition of a user-defined diffusion d wifh respecf fo all fhe 
annofafed sorf signafures in a-s-sigs{d,). 

The annofafed sort-checking judgemenf for expressions is of fhe form . 2 / h o : A, to be read: 
pure-expression o has annofafed sort A under fhe assumpfions for fhe program variables occurring 
in o. The supporf of an annofafed sorf environmenf denoted by is fhe sort environment 
obtained from by removing the input annotation, i.e., 


|x : S [?], X : S| = X : S, X : S 


(cf. Section 7.41. Some of the annotated sort-checking rules rely on the judgements of the sort 
checking system introduced in Section [9^ to sort check some subexpressions. Namely: the right 
element of the pair in rule [A-pair]; the condition of the conditional-expression in rules [A-cond], [A- 
COND-TRUE] and [A-cOND-FALSE]; the right branch of the conditional-expression in rule [A-cond-true]; 
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the left branch of the conditional-expression in rule [A-cond-false]; and the arguments (excluding the 
first one) of the pure function f (that must be an Ti-diffusion) in rule [A-fun]. 

Annotated sort checking of variables and ground values is similar to sort checking. In particular, 
ground values may be given an annotated sort by construction by exploiting the mapping a-sort {-)— 
the premise T keyls) = g ensures that the value g is relevant to the overall goal of the annotated sort 
checking derivation process, that is: deriving an annotated sort S' [tt'] such that S' [tt'] < S [tt] for 
the body e of a user-defined diffusion d in order to check that d has the annotated sort-signature 
S(Si,...,S„)[7r]. 

Note that there is no annotated sort checking rule for expressions of the form snd e—^because of 
the leftmost-as-key preorder such an expression is not relevant to the overall goal of the annotated 
sort checking derivation process. 

The sort-checking rule [A-fun] for diffusion application exploits the mapping a-s-sigs{-) and 


the auxiliary mapping introduced in Section 9.1 It first infers the sort Si [tt"] for the first 


argument ei of f and the sorts S for remaining the arguments e of f, then uses the most specific 
annotated sort signature for S in a-s-sigs{f) for assigning to the application f(e) the minimum 
annotated sort S [tt'] that can be assigned to f (e) by using for f any of the annotated sort signatures 
in s-sigs{f). 

We say that a program (or library) P is well annotated to mean that: all the user-defined funcfion 
definitions in P check by using the sort-checking rules in Figure [T^ and all the user-defined diffusion 
definitions sort checking rules in Figure]^ 


Example 9.4. All user-defined funcfions provided in the examples in Sections 2.2 and 6.2 sort-check 
and (when they are diffusions) annotate sort check by assuming the ground sorts and the subsorting 
given in Figure the sorts for the ground values and sensors given in Figure [T^ the sort-signatures 
for built-in functions given in Figure [T^ the annotated sorts for ground values given in Figure]^ the 
annotated sort-signatures for built-in functions given in Figures]^ and the annotated sort-signatures 
for user-defined diffusions given in[ 


Since no choice may be done when building a derivation for a given annotated sort-checking 
judgment, the annotated sort-checking rules straightforwardly describe an annotated sort-checking 
algorithm. 


9.5. Annotation Soundness. The following theorem states the correctness of the annotation¬ 
checking system presented in Section [9^ 

Theorem 9.5 (Annotation soundness). If h D : S(S) [tt] holds, then n-prestabilising holds 
for all S(S) [tt] G S(S) [tt] . 

Proof. See Appendix [D| □ 


10. Related Work and Discussion 

We here discuss the main related pieces of work, rooted in previous research on finding core models 
for spatial computing and self-organisation, formal approaches for large-scale systems, and finally 
on self-sfabilisafion in disfributed sysfems. 
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10.1. Spatial computing and self-organisation. A first step in studying general behavioural prop¬ 
erties of self-organising systems is the identification of a reference model, making it possible to reuse 
results across many different models, languages and platforms. The review in Q surveys a good deal 
of the approaches considering some notion of space-time computations, which are the basis for any 
self-organising system. Examples of such models include the Hood sensor network abstraction ll50l . 
tbe ar-Linda model 1471 . tbe SAPERE computing model ll48l . and TOTA middleware |l35l, wbicb 
all implement computational fields using similar notions of spreading. More generally. Proto IMl |5l 
and its core formalisation as the “field calculus” iTTbl . provides a functional model that appear general 
enough to serve as a starting point for investigating behavioural aspects of spatial computation and 
self-organisation f9i. In fact, in lITOl it is proved that the field calculus is universal, in the sense that it 
can be used to describe any causal and discretely-approximable computation in space-time. 

Hence, we started from tbe field calculus, in which computation is expressed by the functional 
combination of input fields (as provided by sensors), combined with mechanisms of space-based 
(neighbour) data aggregation, restriction (distributed branch) and state persistence. The calculus 
presented here is a fragment of the field calculus, focussing on only two basic computational elements: 
(i) functional composition of fields, and (ii) a spreading expression. In particular, the latter is a 
suitable combination of basic mechanisms of the field calculus, for which we were able to prove 
convergence to a single final state. Namely, a spreading expression {gq : g(@, ei, . . , e„)} in our 

calculus is equivalent to the following field calculus expression: 

(rep X (inf) (min gq (g (min-hood+ (nbr x)) ei .. e„))) 

In particular, it was key to our end to neglect recursive function calls (in order to ensure termination 
of device fires, since the calculus does not model the domain restriction construct 14611^ and both 
the branches of a conditional expression are evaluated), stateful operations (in our model, the state of 
a device is always cleaned up before computing the new one), and to restrict aggregation to minimum 
function and progression to what we called “stabilising diffusion” functions. 

Other than applying to fragments of the field calculus, the result provided here can be applied 
to rule-based systems like those of the SAPERE approach ll48l and of rewrite-based coordination 
models BTl . along the lines depicted in Il43l . Note that our condition for self-stabilisation is only a 
sufficient one. A primary example of the fact that it is not necessary is Laplacian consensus l[24l . 
expressed as follows in the field calculus: 

(rep X G,' (+ X (* Gg (sum-hood (- (nbr x) x)))))) 

It cannot be expressed in the calculus we propose here, but still stabilises to a plateau field, computed 
as a consensus among the values of input field g, (with Gg) driving the dynamics of the output field. 
Other cases include so-called convergence cast P8'|. 

10.2. Formal approaches. In this paper we are interested in formally predicting the behaviour of a 
complex system, in which the local interactions among a possibly miriad of devices make a global 
and robust pattern of behaviour emerge. In the general case, one such kind of prediction can hardly 
be obtained. 

The quintessential formal approach, model-checking ifldl . cannot typically scale with the number 
of involved components: suitable abstractions are needed to model arbitrary-size systems (as in ifTSl l. 
which however only work in very constrained situations. Approximate model-checking |[29l[T2ll . 
basically consisting in a high number of simulation bursts, is viable in principle, but it still falls 
under the umbrella of semi-empirical evaluations, for only statistical results are provided. Recently, 
fluid flow approximation has been proposed to turn large-scale computational systems into systems 
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of differential equations that one could solve analytically or use to derive an evaluation of system 
behaviour ifTTI . Unfortunately, this approach seems developed yet only to abstract from the number 
of (equivalent and non-situated) agents performing a repetitive task, instead of abstracting from the 
discreteness of a large-scale situated computational network. 

Recent works finally aim at proving properties of large-scale systems by hand-written proofs, 
which are the works most related to the result of present paper. The only work aiming at a mathemat¬ 
ical proof of stabilisation for the specific case of computational fields is 0. There, a self-healing 
gradient algorithm called CRF (constraints and restoring forces) is introduced to estimate physical 
distance in a spatial computer, where the neighbouring relation is fixed to unit-disc radio, and node 
firing is strictly connected to physical time. Compared to our approach, the work in 0 tackles a 
more specific problem, and is highly dependent on the underlying spatial computer assumptions. 
Another work presenting a proof methodology that could be helpful in future stages of our research 
is the universality study in lITOl . 

From the viewpoint of rewrite semantics ll^ . which is the meta-model closest to our formal¬ 
isation attempt, our proof is most closely related to the confluence property, that is, don’t care 
non-determinism. Our result entails confluence, but it is actually a much strongest property of global 
uniqueness of a normal form, independently of initial state. 

10.3. Self-stabilisation. Our work concerns the problem of identifying complex network computa¬ 
tions whose outcome is predictable. The notion we focus on requires a unique global state being 
reached in finite time independently of the initial state, that is, depending only on the state of the 
environment (topology and sensors). It is named (strong) self-stabilisation since it is related with a 
usual notion of self-stabilisation to correct states for distributed systems Il22l . defined in terms of a 
set C of correct states in which the system eventually enters in finite time, and then never escapes 
from - in our case, C is made by the single state corresponding to the sougth result of computation. 

Actually many different versions of the notion of self-stabilisation have been adopted in past, 
surveyed in lITO . from works of Dijkstra’s ll20l[T^ to more recent and abstract ones lUl, typically 
depending on the reference model for the system to study—protocols, state machines. In our case, 
self-stabilisation is studied for a distributed data structure (the computational field). Previous work on 
this context like ll^ however only considers the case of heap-like data structures in a non-distributed 
settings: this generally makes it difficult to draw a bridge with existing research. 

Several variations of the definition also deal with different levels of quality (fairness, perfor¬ 
mance). For instance, the notion of superstabilisation ll23]l adds to the standard self-stabilisation 
definition a requirement on a “passage predicate” that should hold while a system recovers from a 
specific topological change. Our work does not address this very issue, since we currently completely 
equate the treatment of topological changes and changes to the inputs (i.e., sensors), and do not 
address specific performance requirements. However, future works addressing performance issues 
will likely require some of the techniques studied in ll23l . Performance is also affected by the fairness 
assumption adopted: we relied on a notion abstracting from more concrete ones typically used ll3^ . 
which we could use as well though losing a bit of the generality of our result. 

Concerning the specific technical result achieved here, the closest one appears to be the creation 
of a hop-count gradient, which is known to self-stabilise: this is used in If^ as a preliminary step in 
the creation of the spanning tree of a graph. The m a in novelty in this context is that self-stabilisation 
is not proved here for a specific algorithm/system: it is proved for all fields inductively obtained 
by functional composition of fixed fields (sensors, values) and by a gradient-inspired spreading 
process. Other works attempt to devise general methodologies for building self-stabilising systems 
like we do. The work in 0 depicts a compiler turning any protocol into a self-stabilising one. 
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Though this is technically unrelated to our solution, it shares the philosophy of hiding the details 
of how self-stahilisation is achieved under the hood of the execution platform: in our case in fact, 
the designer wants to focus on the macro-level specification, trusting that components hehave and 
interact so as to achieve the global outcome in a self-stahilising way. The work in suggests that 
hierarchical composition of self-stahilising programs is self-stahilising: an idea that is key to the 
construction of a functional language of self-stahilising “programs”. 

In spite of the connection with some of these previous works, to the best of our knowledge ours is 
novel under different dimensions. First, it is the first attempt of providing a notion of self-stabilisation 
directly connected to the problem of engineering self-organisation. Secondly, the idea of appliying it 
to a whole specification language is also new, along with the fact that we apply a type-based approach, 
providing a correct checking procedure that paves the way towards compiler support. As we use now 
a type-based approach, other static analysis techniques may be worth studying in future attempts 
(see, e.g., ||39]|). 


11. Conclusions AND Future Work 

Emerging application scenarios like pervasive computing, robotic systems, and wireless sensor 
networks call for developing robust and predictable large-scale situated systems. Flowever, the 
diffusion/aggregation processes that are typically to be implemented therein are source of complex 
phenomena, and are notoriously very hard to be formally treated. The goal of this work is to 
bootstrap a research thread in which mechanisms of self-organisation are captured by linguistic 
constructs, so that static analysis in the programming language style can be used to isolate fragments 
with provable predictable behaviour. In the medium term, we believe this is key to provide a tool- 
chain (programming language, libraries, simulation and execution platforms) which enables the 
development of complex software systems whose behaviour has still some predictability obtained 
“by construction”. 

Along this line, this paper studies a notion of strong self-stabilisation, identifying a sufficient 
condition expressed on the diffusion/aggregation mechanisms occurring in the system. This targets 
the remarkable situation in which the final shape of the distributed data structure created (i.e., the 
computational field) is deterministically established, does not depend on transient events (such as 
temporaneous failures), and is only determined by the stabilised network topology. Namely, this is 
the case in which we can associate to a complex computation a deterministic and easily computable 
result. 

It would be interesting to relax some of the conditions and assumptions we relied upon in this 
paper, so as to provide a more general self-stabilisation result. First of all, the current definition of 
self-stabilisation requires values to have upper-bounds, to prevent network subparts that become 
isolated from “sources” (e.g., of a gradient) to be associated with values that grow to infinity without 
reaching a fixpoint: a more involved definition of self-stabilisation could be given that declares such 
a divergence as admitted, allowing us to relax “noetherianity” of values. We also plan to extend 
the result to encompass the domain restriction construct BhllMIl (i.e., to add to the calculus a form 
of conditional expression where only one of the branches is evaluated). In this way also recursive 
function definitions could be added (then, in order to guarantee termination of computation rounds, 
standard analysis techniques for checking termination of recursive function definitions might be used). 
We currently focus only on spreading-like self-stabilisation, whether recent works I® suggest that 
“aggregation” patterns can be similarly addressed as well, though they might require a completely 
different language and proof methodology. 
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Of course, other behavioural properties are of interest which we plan to study in future work as 
an extension to the results discussed here. First, it is key to study notions of self-stabilisation for 
computational fields which are designed so as to be dynamically evolving, like e.g. the anticipative 
gradient llJTl . Second, it would be interesting to extend our notion of self-stabilisation so as to 
take into account those cases in which only approximate reachability of the sought state is required, 
since it can lead to computations with better average performance, as proposed in 0. Other 
aspects of interest that can be formally handled include performance characterisation, code mobility, 
expressiveness of mechanisms, and independence of network density, which will likely be subject of 
next investigations as well. 
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Appendix A. Proof of Theorem [5TT] and Theorem I5.2I 
The proof are given for the calculus with pairs (cf. Section [^. 

Lemma A.l (Substitution lemma for typing). Ifx: Th e : T, lengthiv) = length{x) and ®\-v:T, 
then 0 h e[x :=v]:T. 

Proof. Straightforward by induction on the application of the typing rules for expressions in Fig.|^ 
and Fig. 13 □ 


Lemma A.2 (Device computation type preservation). If 0 € WTVT{x : T, e, T), then 0 h p(0) : T 

Proof. Recall that the typing rules (in Fig. and Fig. [T^ and the evaluation rules (in Fig. and 
Fig. [l4| ) are syntax directed. The proof is by induction on the definition of WTVT{x : T, e, T) (given 
in Section |5.1| ), on the number of user-defined function calls that may be encountered during 
the evaluation of e[x := v] (cf. sanity condition (Hi) in Section 3.1 1 , and on the syntax of closed 
expressions. 

From the hypothesis 6 G WTVT{x : T,e,T) we have x : T h e : T, a;0 h e[x := v] fj- ^ for 
some sensor mapping a, evaluation trees 6 G WTYTix : T, e,T), and values v such that lengthifJ) = 
lengthix) and 0 h v : T. Moreover, by Lemma . 


A.1 


we have that 0 h e[x := vl 


T holds. The case 6 

empty represents the base of the induction on the definition of WTVTix : T, e,T). Therefore the rest 
of this proof can be understood as a proof of the base step by assuming 0=0 and a proof of the 
inductive step by assuming 6 0. 

The case when e does non contain user-defined function calls represents the base on the 
induction on the number of user-defined function calls fhat may be encounfered during fhe evaluafion 
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of e[x := v]. Therefore the rest of this proof can be understood as a proof of the base step by ignoring 
the cases e[x := v] = f (ei, and e[x := v] = {gq : f (@,ei,e„)} when f is a used-defined 

function d. The base of the induction on e[x := v] consist of two cases. 

Case s: From the hypothesis we have 0 F 5 : T where T = type{s) (by rule [T-sns]) and a; 6 h 5 JJ- 0 
where 0 = v() and v = 0 ( 5 ) (by rule [E-sns]). Since the sensor s returns values of type type{s), 
we have that type{v) = type{s) = T. So the result follows by a straightforward induction of tbe 
syntax of values using rules [T-val] and [T-pair]. 

Case v: From the hypothesis we have 0 F v : T and (by rule [E-val]) a; 0 F v JJ. 0 where 0 = v(). So 
the result follows by a straightforward induction of the syntax of values using rules [T-val] and 
[T-PAIR], 

For the inductive step on e[x := v], we show only the two most interesting cases (all the other cases 
are straightforward by induction). 

Case d(ei,...,e„): From the hypothesis we have 0 F f (ei,...,e„) : T (by rule t-fun]) and a;0 F 
d(ei,...,e„) v(0[,..., 0^,v(f])) (by rule e-def]). Therefore we have T(Ti,...,T„) = t-sig{d), 

0 F Gi : Ti, ..., 0 F G„ : T„ (the premises of rule t-fun]) and dof T d(Ti xi,...,T„ x„) = e", 
a;7ri(0) F gi 0(, ..., a;7r„(0) F g„ 0^ and 

a;7r„+i(0) F g'J| v(Ti) where g'= g"[xi := p(0i'), := p(0^)] (A.l) 


(the premises of rule e-def]). 

Since 7r,(0) G 1^71^7(0, g,,T,) (1 < / < n) then 0/ G 1^71^7(0, g,,T,); therefore, by induction 
we have 0 F p(0() : Ti, ..., 0 F p(0^) : T„. 

Since the program is well typed (cf. Section [3T| we have xi : Ti,..., x„ : T„ F g" : T (by rule 

T-DEE]). 

Since 7r„+i(0) G WTVT{yi\ : Ti, ...,x„ : T„,g",T), then (by (A.l 1 ) we have v(t]) G W'7yr(xi : 
Ti, ...,x„ : T„,g",T); therefore, by induction we have that 0 F v : T. 

Case {gq : f (@, gi, ..., g„)}: From the hypothesis we have 0 F {gq : f (@, ei,..., g„)} : T (by rule t-spr]) 
and a;0 F {gq : f (@,gi, ...,g„)} JJ. A{vo,ui, ...,Um}(T]o,'f]i, (by rule e-spr]). Therefore we 
have dijfusion{t), T(T,Ti, ...,T„) = t-sig{d), 0 F gq : T, 0 F gi : Ti, ..., 0 F g„ : T„ (the premises 
of rules T-SPR] andT-FUNj) and a;7ri(0) F gi JJ. 0(, ..., a;7r„(0) F g„ JJ. 0^ p{rio,...,ri„) = vo...v„, 
P(0) =Wi...W;„, 

a;0F f(wi,vi,...,v„) JJ.U 1 (••■),••■,a;0F f(wm,vi,...,v„) JJ.Um(---) (A.2) 

(the premises rule e-spr]). By induction we have 0 F vo...v„ : TTi ...T„ and 0 F wi : T, ..., 0 F w„,: T. 
We have two subcases: 

• If f is a user-defined function, then from (A.2i we get (by reasoning as in the proof of case 
d(Gi,..., G„)) 0 F ui : T, ..., 0 F u„, : T. 

• If f is a built-in function, then from (A.2i we get (by the semantics of built-in functions) 
0Fui :T, ...,0Fu„, :T. 

In both cases v = A{vo,ui, ...,u,„} has type T, i.e., 0 F v : T holds. □ 

Restatement of Theorem |5.l| (Device computation type preservation). Ifx:The:T,aisa 
sensor mapping, 0 G WTVT(x : T, e, T), length{v) = length{x), 0 F ^ : T and a; 0 F e\x := ti] JJ. 0, 
then 0 F p(0) : 7J 

A.2 since 0 G W7Yr(x : T, g,T). □ 


Proof. Straightforward by Lemma 
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Restatement of Theorem |5.2| (Device computation termination). lfx:T\-e:T,oisa sensor 
mapping, 6 G WTVT(x: T, e, T), length(y) = length(x) and (d\-v:T, then a; 0 h e\x := v] (j. 6 for 
some value-tree 6. 

Proof. By induction on the number of function calls that may be encountered during the evaluation 
of e[x := v] (cf. sanity condition (Hi) in Section [3?!] ) and on the syntax of closed expressions, using 
Lemma □ 


Appendix B. Proof of Theorem 15.31 

Recall the auxiliary definitions and the outline of the proof of Theorem |5 .3 1 given in Section [5^ The 
following six lemmas corresponds to the auxiliary results [BTT]|B . 6 | introduced in Section [5l2| 

Lemma B.l (Minimum value). Given a program e = {eo : /(©, ei,..., e„)} with valid sort and 
stabilising diffusion assumptions, for every reachable pre-self-stable network configuration N, for 
any device l in N such that Vii^inN) minimum (among the values of the devices inN): 

( 1 ) ifN N’ and I (I I, then = '^i(inN) minimum (among the values of the devices in 

N'); and 

(2) either = vqi (i.e., l is self-stable inN) or ifN N' then there exists fi such that: 

(a) 'ai(mA) < ■!/ < ViiinN'): and 

(b) if N' =^N", then fi < 

Proof Point (1). Consider a device l' / l. Then < vo.p and its m > 0 neighbours 

have values Wy such that < wy (1 < y < m). Since the stabilising diffusion assumptions 

hold, Wy < [[f]](wy,Vi^,/,...,V„_i/) = Uy. Therefore, V,(in;v) < So 

^i(in A') = ^i(mN) is minimum (among the values of the devices in N'). 

Point (2). Assume that V; < vo,i. The m>0 neighbours of i have values wy such that V[ < wy 
(1 < y < m). Since the stabilising diffusion assumptions hold, < [[f]](V[(j„^), vi,[,... ,v„j) = 

uq and uq < [[f]](wy, vi. ,v„_i) = uy. Therefore, the value v' = vq^i Auq is such that when i 
fires ifs new value V[(in;v/) = A{vo,i,ui, is such that Vifin^v) < v' < Moreover, since 

^i(in A) < A') we have that in a firing evolufion none of devices i' / i will reach a value less fhan 

^[(in A) therefore the device i will never reach a value less than v'. □ 

Lemma B.2 (Self-stabilisation of the minimum value). Given a program e = { eo : /(®, ei,..., e,,)} 
with valid sort and stabilising diffusion assumptions, for every reachable pre-self-stable network 
configuration N, if Si is the subset of the devices in N such that vqi is minimum (among the values 
of eo in the devices in N), then there exists k>0 such that N =^k implies that Si satisfies the 
following conditions: 

(1) each device l in Si is self-stable in N' and has value Vi(inN') = '^o.ii 

(2) in N' each device not in Si has a value greater or equal to the values of the devices in Si and, 
during any firing evolution, it will always assume values greater than the values of the devices in 

Si. 


Proof. The number of devices in the network configuration is finite, the environment does not change, 
the network is pre-self-stable, and the stabilising diffusion assumptions holds. The results follows by 
Lemma IB. 11 Namely, if there is a device l whose value Vi is minimum and such that V[ < vo^i, then 
after a 1-fair network evolution i reaches a value which is greater or equal to some v' such that 


• V < v' < vq.i; and 
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• in any subsequent firing evolution the value of i will be always greater or equal to v'. 

Therefore, after a finite number k of 1-fair evolutions (i.e., after any ^-fair evolution) conditions (1) 
and (2) in the statement of the lemma are satisfied. □ 

Lemma B.3 (Frontier). Given a program e = { eo : /(S, ei,..., e„)} with valid sort and stabilising 
diffusion assumptions, for every reachable pre-stable network configuration N with devices D and a 
non-empty subset of devices S CD such that 

(i) each device in S is self-stable in N; 

(ii) each device in D — S has a value greater or equal to the values of the devices in S and, during 
any firing evolution, will always assume values greater or equal to the values of the devices in 
S; and 

(iii) frontier^ (D) 0; 

ifN ^=^>1 N' then each device in frontierg{D) is self-stable in N'. 

Proof When a device i mfrontier^(Ti) fires it gets the value 

vo,i A[[f]](vi/,vi_i,...,v„,i) 

where i' G S is the neighbour of i that has minimum value (among the neighbours of l). This value is 
univocally determined by environmentfN) and is stable, since the values V[/ and vy i (0 < j < n) are 
stable and in any firing evolution each neighbour of i assumes only values greater or equal to V[/. □ 

Note that conditions (i)-(iii) of the following lemma are exactly the same as in Lemma [B3| 

Lemma B.4 (Minimum value not in S). Given a program e = { eo : /(ei,..., e„)} with valid sort 
and stabilising diffusion assumptions, for every reachable pre-self-stable network configuration N 
with devices D and a non-empty subset of devices S CD such that 

(i) each device in S is self-stable in N; 

(ii) each device in D — S has a value greater or equal to the values of the devices in S and, during 
any firing evolution, will always assume values greater or equal to the values of the devices in 
S; 

(iii) frontierffD) / 0; and 

(iv) each device in frontierg{D) is self-stable in N; 

ifM CD — S is the set of devices l such that Vi(inN) ts minimum (among the values of the devices in 
D — S), then 

(1) ifl GM, N N' and l 0 l, then = uq,,, is minimum (among the values of the devices 

inD — S in N'); 

(2) if Mr\frontierffD) = 0, then there is a device l G M such that either Vii^inN) = W,i i 
self-stable in N) or ifN N' then there exists fi such that: 

(a) Vi(inN) <y' < Vi{inN'); <^nd 

(b) if N' =^N", then fi < Viq„N")- 

Proof Since the self-stable values in frontier^{D) ensure that in any bring evolution the values of 
the devices in D — (S Cfrontier^{D)) are computed without using the values of the devices in S, the 
proof is similar to the proof of Lemma [BT] 

Point (1). Consider a device i' 0 SUM. Then < vq^ and its m>0 neighbours 

have values such that < w,- (1 < y < ni). Since the stabilising diffusion assumptions 

bold, Wy < [[f]](wy,vi,v„^i/) = uy. Therefore, < A{vo,i',ui,...,u„,} = Vi^jn^y,). So 

^[(in V') = A) is minimum (among the values of the devices of D — S in N'). 
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Point (2). Assume that V; < vo,i. The m>0 neighbours of i have values wy such that V; < wy 
(1 < 7 < m). Since the stabilising diffusion assumptions hold, < [[f]](vi{in^), vi ^,..., v„.i) = 

uo and uq < [[f]](wy, vi i,... ,v„ [) = uy. Therefore, the value v' = vo,i Auq is such that when i 
fires its new value Vi^j^yy/) = /\{vo,i,ui, is such that Vn-j^^v) < v' < Moreover, since 

^i{mN) < '^i{mN') wc havc that in a firing evolufion none of fhe devices l' G D — (S U {l}) will reach 
a value less than and therefore the device i will never reach a value less than v'. □ 

Note that conditions (i)-(iv) of the following lemma are exactly the same as in Lemma [BA| 

Lemma B.5 (Self-stabilisation of the minimum value not in S). Given a program e = {eo : 
/(©, ei,..., e„)} with valid sort and stabilising dijfusion assumptions, for every reachable pre- 
self-stable network configuration N with devices D and a non-empty subset of devices S CD such 
that 

(i) each device in S is self-stable in N; 

(ii) each device in D — S has a value greater or equal to the values of the devices in S and, during 
any firing evolution, will always assume values greater or equal to the values of the devices in 
S; 

(iii) frontierg (D) 0; and 

(iv) each device in frontier^{D) is self-stable in N; 

there exists k >0 such that N =^k N' implies that there exists a device li in D — S such that 
Si = SU {li} satisfies the following conditions: 

(1) each device l inS\ is self-stable in N'; and 

(2) in N' any device inD — S\ has a value greater or equal to the values of the devices in Si and, 
during any firing evolution, will always assume values greater than the values of the devices in 

Si- 


Proof Let M C D — S be the set of devices i such that is minimum (among the values of the 

devices in D — S). We consider two cases. 


Mnfrontierg(D) 0: Any of the devices ii G 'NlCfrontiergiD) is such that conditions (1) and (2) 
in the statement of the lemma are satisfied. 

M Cfrontierg (D) =0: The number of devices in fhe network configuration is hnite, the environment 
does not change, the netw ork is p re-self-stable, and the stabilising diffusion condition holds. The 
results follows by Lemma ^ 


B.4 


Namely, if there is a device i G M such that V[ < vq.i, then after 
a 1 -fair network evolution i reaches a value which is greater or equal to some v' such that 

• V < v' < Vo,I; and 

• in any subsequent firing evolution the value of i will be always greater or equal to v'. 

Therefore, after a finite number k of 1-fair evolutions (i.e., after any h-fair evolution with h>k) 
conditions ( 1 ) and ( 2 ) in the statement of the lemma are satisfied. □ 


Lemma B.6 (Pre-self-stable network self-stabilization). Given a program e = { cq : /(®, ei,..., e„)} 
with valid sort and stabilising diffusion assumptions, for every reachable pre-self-stable network 
configuration N there exists k>0 such that N =^k hi' implies that N' is self-stable. 


Proof Let D be a set of devices of N. The proof is by induction on the number of devices in D. 
Case D = 0: Immediate. 


particular, since the self-stable values in/ro«?!erg(D) ensure that in any firing evolution the values of the devices in 
D — (S yj frontier^(Yi)) are computed without using the values of the devices in S, the proof of this case is similar to the 


proof of Lemma B.2 (by using Lemma 


B.4 


instead of Lemma 


B.l 
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Case D 7 ^ 0: By Lemma B.2 there exists > 0 such that after any kQ-fw evolution there is a 
non-empty set of devices Si that satisfies conditions (1) and (2) in the statement of Lemma [R!2| 
(and, therefore, also conditions (1) and (2) in the statement of Lemma |B.5[ ). 

Now rename Si to S, consider a counter c intially equal to 1, and iterate the following two 
reasoning steps while the set of devices S is such th&i frontier^ijy) 0: 

• By lemma B.3 and lemma [B75| there exists kc>0 such that after any kc-faiv evolution there is a 
non-empty set of devices Si that satisfies conditions (1) and (2) in fhe sfafemenf of Lemma |B.5| 

• Rename Si fo S and incremenf fhe value of c. 

Since af each iteration fhe number devices in S is increased by one, fhe number of iterations is 
finite (note fhaf S = D implies/ronticrs(D) = 0). After the last iteration, we have proved that 
there exists k' = such that after any k'-^^k evolution there is a non-empty set of devices 

S that satisfies conditions (1) and (2) in fhe sfafemenf of Lemma B.5 Since. frontier^iTi) = 0, 
fhen fhe evolution of fhe devices in D — S is independenf from fhe devices in S. By induction 
fhere exisfs k" > 0 such fhaf afler any A:"-fair evolufion fhe portion of fhe nefwork wifh devices in 
D — S is self-slable. Therefore, we have proved fhe lemma wifh k = k' + k". □ 


Restatement of Theorem |5.3| (Network self-stabilisation for programs that satisfy the stabilising- 
diffusion condition). Given a program with valid sort and stabilising diffusion assumptions, every 
reachable network configuration N self-stabilises, i.e., there exists k>0 such that N =^k implies 
that N' is self-stable. 


Proof By induction on the syntax of closed expressions e and on the number of function calls that 

may be encountered during the evaluation of e. Let E = environment(N). 

Case v: Any device fire produces the value-tree v() (independently from E). 

Case s: Each fire of device i produces the value-tree v(), where v = Oi {s) is univocally determined 
by E. 

Case b(e): Straightforward by induction. 

Case f (e): Straightforward by induction. 

Case {gq : f (@, ei,..., e„)}: By induction there exists h>0 such that if N =>/, Ni then on every 
device l, the evaluation of gq, ei,..., e„ produce stable value-trees do.i, ^i,i ,■■■, ^n,i, which are 
univocally determined by E. Note that, if N =^h+\ Ni then N 2 is pre-self-stable. Therefore the 

□ 


result follows straightforwardly by Lemma B.6 


Appendix C. Proof of Theorem I8.6I 

The proof of Theorem |8.6| is similar to the proof of Theorem |5 .1 1 (cf. Appendix [A|l— see Remark [877] 

Lemma C.l (Substitution lemma for sorting). Ifx : S\- e: S, length{y) = lengthix), 0 h u : and 
^ < S, then 0 h e\x := u] : ^ for some ^ such that ^ < S. 


Proof Straightforward by induction on the application of the sort-checking rules for expressions in 

Fig.f^ □ 
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Lemma C.2 (Device computation sort preservation). If Q ^ WSVT{x: S, e, S), then 0 h p( 6 ) : ^ for 
some ^ such that S' < S. 


Proof Recall that the sorting rules (in Fig. 191 and the evaluation rules (in Fig. and Fig. 14 1 are 
syntax directed. The proof is hy induction on the definition of WSVT{x : S, e, S) (given in Section 


8.61, 


on the number of user-defined function calls that may he encountered during the evaluation of 
e[x := v] (cf. sanity condition (Hi) in Section [3!T] ), and on the syntax of closed expressions. 

From the hypothesis 6 G WSVT{x : S, e, S) we have x : S h e : S, a; 0 h e JJ. 0 for some sensor 
mapping a, evaluation trees 0 G WSVT{x : S,e,S), and values v such that lengthifj) = length(x), 
0 h V : S , and S < S. The case 0 empty represents the base of the induction on the definition of 
WSVT{x : S, e, S). Therefore the rest of this proof can be understood as a proof of the base step by 


we 


assuming 0=0 and a proof of the inductive step by assuming 0 7 ^ 0. Moreover, by Lemma C.l 
have that 0 h e[x := v] : S' for some S' such that S' < S. 

The case when e does non contain user-defined function calls represents the base on the 
induction on the number of user-defined function calls that may be encountered during the evaluation 
of e[x := v]. Therefore the rest of this proof can be understood as a proof of the base step by ignoring 
the cases e[x := v] = f (ei, ...,e„) and e[x := v] = {gq : f (@,ei,...,e„)} when f is a used-defined 
function d. The base of the induction on e[x := vl consist of two cases. 


Case s: From the hypothesis we have 0 F x : S where S = sort{s) (by rule [T-sns]) and a; 0 F x JJ. 0 
where 0 = v() and v = a(x) (by rule [E-sns]). Since the sensor s returns values of sort sort{s), 
we have that sort{v) < sort{s) = S. So the result follows by a straightforward induction of the 
syntax of values using rules [s-val] and [s-pair]. 

Case v: From the hypothesis we have 0 F v : S and (by rule [E-val]) a; 0 F v JJ. 0 where 0 = v(). So 
the result follows by a straightforward induction of the syntax of values using rules [S-val] and 
[S-PAIR]. 


For the inductive step on e[x := v], we show only the two most interesting cases (all the other cases 
are straightforward by induction). 

Case d(ei,...,e„): From the hypothesis we have 0 F f(ei,...,e„) : S (by rule s-fun]) and 
a;0 F d(ei,...,e„) JJ. v(6f6',v(fi)) (by rule e-def]). Therefore we have S(Si,...,S„) = 
mx(x-x/gx(f),S'j,... ,SJ,), 0 F Gi : Sj, ..., 0 F g„ : Sj, and Sj < Si, ..., Sj, < S„ (by the premises of 
rule s-FUN]) and dof T d(Ti xi,...,T„ x„) = g", a;7ri(0) F gi JJ. 0(, ..., a;7r„(0) F g„ JJ. 0^ and 


a;7r„+i(0 ) F g'JJ. v(t]) where g'= g"[xi := p(0i'), ...,x„ := p(0^)] (C.l) 

(the premises of rule e-def]). 

Since 7r,(0) G VF5'VT(0 ,g,',S') (1 < / < n), then 0/ G W5'V'r(0, g,, Sj); therefore, by induction 
we have 0 F p(0i') : S'/, ..., 0 F p(0") : S" and S'/ < Sj < Si, ..., S" < S^ < S„. 

Since the program is well sorted (cf. Section 8.51 we have xi : Si,..., x„ : S„ F g" : S' and S' < S 
(by rule t-def]). 

Since 7r„+i(0) G WTVT(x\ : Si, ...,x„ : S„,g",S'), then (by (C.l l) we have v(f]) G WTVT{x\ : 
Si,...,x„ : S„, g",s'); therefore, by induction we have that 0 F v : S" with S" < S' < S. 

Case {gq : f (@,gi,...,g„)}: From the hypothesis we have 0 F {gq : f(@,Gi,...,G„)} : S' (by rule 
s-SPR]) and a;0 F {gq : f(@,e)} JJ. A{vo,ui,...,Um}(T]o,'f]i,---,t]«) (by rule e-spr]). Therefore 
we have dijfusion{f), y' F Goe : SqS\ S'(SoS) = ms{stb-s-sigs{i),S'Q's!), S = xmp<(S'q,S') and 
SqS^ < SqS (by the premises of rule s-spr]) and a;7ri(0) F gi JJ- Q[, ..., 0 ',Kn( 6 ) F g„ JJ- 0^ 
p(rio,...,ri„) = vo...v„, p(0) = wi...w„„ 

a;0F f(wi,vi,...,v„) JJ-ui(•••),•••,a;0F f(wm,vi,...,v„) JJ-Um(---) (C.2) 
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(the premises rule e-spr]). By induction we have 0 h vo...v„ : SgS'/.-.S" with SoSj'...S" < SgSj ...S^ 
and 0 h wi : S'/', 0 h : S"' with S"' < S < So (1 < / < m). We have two subcases. 

• If f is a user-defined function, then from ( C.2| ) we get (by reasoning as in the proof of case 

d(ei,e„)) 0 h ui : S"", 0 h : S"" for some S'J” such that S'J” < S' (1 < Z < m). 

• If f is a built-in function, then from (C.2l we get (by the semantics of built-in functions) 


0 h ui : S 


..., 0 h Urn : S"" for some S"" such that S"" < S' (1 < Z < m). 


In both cases v = A{vo,ui, has a sort S" with S'" < S, i.e., 0I- v : S'" with S'" < S holds. □ 


Restatement of Theorem |8.6| (Device computation sort preservation). Ifx \ S\- e \ S, o is a sensor 
mapping, 6 G WSVT{x : S, e, S), lengthiv) = length{x), 0 h u : S^, ^ < S, and a; 6 h e\x := u] JJ. Q, 
then 0 h p{Q) '■ ^ for some S' such that S' < S. 


Proof. Straightforward by Lemma C.2 since 6 G WSVT{x : S, e, S). 


□ 


Appendix D. Proof of Theorem 19. 5 1 


Lemma D.l (Annotated sort of an expression). If x\ ■. S\ [?], x: Sh e : S[7i], then a;: Si, x : Sh e : S 

and key[Si) key{S)- 

Proof Straightforward by induction on the application of the annotated sort checking rules for 
expressions in Fig. □ 

A pure expression e with free variables x of sorts S represents the pure function that for every 
V G [[S]] returns the value [[e[x := v]]]. In the following we will write^?i(e) to denote such a function. 


Lemma D.2 (Annotation soundness for expressions). If ,x\ : Si [?], x : Sh e : S[n] and v G [[S]], 
then 


( 1 ) if7l= ! then 

'[/ and [[/■««(e)]](u, v) = v” /s Ts imply implies u" <5 [\fun{e)]\{'i/, v); 

• for all ve [[^i]] -{Tsi}, key{v) <key{Si) ^ey([[/im(e)]](u, u)); 

(2) ZfTT G { / , ?} then 

• ■y implies [[/im(e)]](u, u) <5 [[^n(e)]](r/, u); 

• for all ve [[Si]], key(v) </cey(s,) key(llfun(e)^(v,v)). 


Proof By Lemma 


D.l 


[[e]] has sort S(SiS) and either fey(Si) key{S) or key{S) 

key{'S\). Recall that the annotated sort checking rules (in Fig. 231 and the evaluation rules (in Fig. 
and Fig.[T4|) are syntax directed. By induction on the syntax of pure expressions e. The base of the 
induction on e consist of two cases. 


Case x: Immediate by rule [A-var]. 

Case v: Straightforward by rule [A-gval] and Proposition [T^ 

For the inductive step on e, we show only the case for function application (all the other cases are 
straightforward by induction). 

Case f (ei, e): Then the premises of rule [A-fun]: 

• .e/ h ei : S'j [tt"] 

• \£^\ h e : 

• S(S'j'S^^) [tt'] £ms{a-s-sigs{f),S\S') 

hold and K = By the last premise, we have that 71 '-prestabilising{f ,S{S”s")) holds. 

Then, the result follows straightforward by induction (using Definition|7.1|). □ 
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9.5 


(Annotation soundness). If D : S{S) [n] holds, then 


Restatement of Theorem 

Tl-prestabilising{f,S{S)) holds for all S{S) [it] G S{S) [it]. 

Proof Straighforward from rule [A-def] in Fig. [fusing Lemma [P^ and Proposition |7 .41 


□ 
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